{"id":33971,"date":"2024-05-18T00:01:40","date_gmt":"2024-05-17T22:01:40","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33971"},"modified":"2024-05-18T10:50:16","modified_gmt":"2024-05-18T08:50:16","slug":"windows-10-what-generates-masses-of-mat-debug-log-files","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/05\/18\/windows-10-what-generates-masses-of-mat-debug-log-files\/","title":{"rendered":"Windows 10: What generates masses of mat-debug*.log files?"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/05\/18\/windows-10-was-erzeugt-massenhaft-mat-debug-log-dateien\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]I'm posting another topic here on the blog that a reader asked me about at the beginning of May 2024. He notes that the Defender Core service under Windows 10 Pro was started unexpectedly just over a month ago. Since then, the reader's Temp folder has been flooded with files with the pattern mat-debug*.log. There seems to be no configuration option. During a brief internet search, however, I found that these log files have been discussed in various scenarios since 2019. I am interested to know if anyone else has made this observation.<\/p>\n<p><!--more--><\/p>\n<h2>The Microsoft Defender Core service<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/7451763e92874ab496ac2c458a42e068\" alt=\"\" width=\"1\" height=\"1\" \/>An overview can be found in t<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/microsoft-defender-antivirus-windows\" target=\"_blank\" rel=\"noopener\">his support article<\/a> from Microsoft. According to <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/microsoft-defender-core-service-overview\" target=\"_blank\" rel=\"noopener\">this support article<\/a>, the Microsoft Defender Core service was released to improve endpoint security and support the stability and performance of Microsoft Defender Antivirus. The Microsoft Defender Core service will be released with Microsoft Defender Antivirus platform version 4.18.23110.2009. Microsoft has published the following dates for the rollout.<\/p>\n<ul>\n<li>November 2023 to present to customers in advance (i.e. a preview).<\/li>\n<li>Mid-April 2024 for enterprise customers running Windows clients.<\/li>\n<li>Mid-June 2024 for US government customers running Windows clients.<\/li>\n<\/ul>\n<p>The timeline is important to understand for subsequent reader observations. Microsoft states that enterprise customers should allow the following URLs because the Defender Core service communicates with these URLs.<\/p>\n<p><code>*.endpoint.security.microsoft.com<\/code><br \/>\n<code>ecs.office.com\/config\/v1\/MicrosoftWindowsDefenderClient<\/code><br \/>\n<code>*.events.data.microsoft.com<\/code><\/p>\n<p>The Microsoft support article contains further information on URLs that are used to communicate if you do not want to allow wildcard URLs.<\/p>\n<h2>A process generates .log files<\/h2>\n<p>A blog reader contacted me by email on May 3, 2024, and wrote that \"about a month ago, the Defender Core service started unexpectedly on the Win10Pro.\" The reader suspects that this was done by the OneSetting service. The \"vague statement\" about a month ago is roughly in line with the Microsoft rollout dates above.<\/p>\n<p>The reader noticed the whole thing because mat-debug****.log files suddenly appeared in the Temp folder. According to the blog reader, apart from the policy for the OneSetting service, no configuration is possible with regard to these log files. The [service] is not active on a computer that is not connected [to the Internet], the reader wrote in his email. He suspects an \"Experimentation Configuration Service\" that Microsoft is unleashing on users.<\/p>\n<p>However, I found the section <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/microsoft-defender-core-service-overview#use-powershell-to-update-the-policies-for-microsoft-defender-core-service\" target=\"_blank\" rel=\"noopener\">Use PowerShell to update the policies for Microsoft Defender Core service<\/a> in the Microsoft support article, where you can study various guidelines for configuring the Core service. You can disable telemetry and the Core Service ESC integration. <strong>Addendum:<\/strong> Finally I found a post <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/mat-debug-created-by-ms-defender-on-w11-in-temp\/587a115e-2ab5-4160-89ba-6b508b569b7c\" target=\"_blank\" rel=\"noopener\">mat-debug created by MS Defender on W11 in Temp folder &#8211; HELP!<\/a> at MS Answers, that's from May 17, 2024, mentioning the same observation &#8211; Defender creates the mat-debug***.log files.<\/p>\n<h2>Old sources on the web<\/h2>\n<p>I searched the internet for <em>mat-debug<\/em> log files. The first hits in the Microsoft Answers forum can be found as early as 2019 (see <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/mat-debug-xxxxlog-files-in-temp-folder\/955f105f-2eee-4f9b-96b3-e6433d051d46\" target=\"_blank\" rel=\"noopener\">mat-debug-xxxx.log files in temp folder<\/a>), where it is stated that the files have a length of 0. There is also a post <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/mat-debug-xxxxlog-files\/8875d070-62f9-429b-b3e1-9a6e006c45be\" target=\"_blank\" rel=\"noopener\">mat-debug-xxxx.log files<\/a> in the Microsoft Answers forum from 2020 that deals with these files. So it cannot be exclusively related to the Defender Core service that the log files suddenly end up in the blog reader's temp folder. In both Microsoft Answers forum threads linked above, there is a note (see here) that the user should reinstall the graphics driver. The effect is caused by an unsigned driver.<\/p>\n<p>From December 2023 there is the Microsoft Answers forum thread <a href=\"https:\/\/answers.microsoft.com\/en-us\/msteams\/forum\/all\/whats-the-purpose-of-mat-debug-log-files-created\/258e3d8c-e124-4718-8ec3-17641e27d016\" target=\"_blank\" rel=\"noopener\">What's the purpose of mat-debug-*.log files created by msteamsupdate.exe<\/a>, in which the Microsoft Teams update process is named as the cause. The thread starter states that he found out via Process Monitor that the .log files are written by <em>msteamsupdate.exe<\/em> and <em>ms-teamsupdate.exe<\/em>.<\/p>\n<p>There is also <a href=\"https:\/\/www.askwoody.com\/forums\/topic\/mat-debug-log\/\" target=\"_blank\" rel=\"noopener\">this thread<\/a> on askwoody.com, which shows that the log files are written when an update goes wrong. OneDrive and Microsoft Office were mentioned. Susan Bradley <a href=\"https:\/\/www.askwoody.com\/forums\/topic\/mat-debug-log\/#post-2337986\" target=\"_blank\" rel=\"noopener\">blames the OfficeHub<\/a>. However, the findings on the Internet are not really satisfying. Hence the question: Has anyone else found these log files in their Windows temp folder or user profile, and does anyone know the cause?<\/p>\n<h2>Created from MS Tools, Apps and Services<\/h2>\n<p><strong>Addendum:<\/strong> A blog reader posted below some answers from AI bots, explaining the purpose of the log files (fun fact: If I ask bing.com with Copilot, the answers quotes my German blog post with the content provided above).<\/p>\n<p>An the first comment below it days: The mat-debug*.log files in Windows 10 are generated by the Microsoft Application Compatibility Toolkit (MAT) when it is used to diagnose and troubleshoot compatibility issues with applications running on the Windows operating system. However, the MAT is not offered for Windows 10. But there seems to be a successor tool for Windows 10 and Windows 11, which developers at Microsoft and other software manufacturers use.<\/p>\n<p>These log files contain information about the problems or errors encountered by \"MS Applications and Services\". Scenarios in which log files are generated:<\/p>\n<ul>\n<li>Performing compatibility tests for specific applications to identify compatibility issues with the Windows operating system.<\/li>\n<li>Analyzing reports of application crashes and creating detailed logs to determine the root cause of the problem.<\/li>\n<li>Gathering information about system configurations, software installations and other factors that may affect application compatibility.<\/li>\n<li>Troubleshooting compatibility issues with older applications or software that is not fully compatible with newer versions of Windows.<\/li>\n<\/ul>\n<p>This is also the explanation why I found different causes for the generated log files. And it doesn't look like you can control anything &#8211; the developer has sovereignty over whether log files are generated or not.<\/p>\n<p>In another answer cited below from a AI bot, it says that the temporary mat-debug-####.log files are generated by various Microsoft applications and services under Windows 10.<\/p>\n<p><strong>Similar articles<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2023\/06\/01\/windows-temp-folder-flooded-with-aria-debug-xxx-log-files\/\" rel=\"bookmark\">Windows temp folder flooded with Aria-debug-xxx.log files<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2023\/10\/02\/windows-10-11-edge-fills-up-the-temp-folder-with-edge_bits_xxx-files\/\" rel=\"bookmark\">Windows 10\/11: Edge fills up the Temp folder with Edge_BITS_xxx files<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2023\/06\/08\/windows-temp-folder-flooded-with-host-name-yyymmdd-hhmm-log-files\/\" rel=\"bookmark\">Windows Temp folder flooded with \"computer name-yyyMMdd-hhmm.log\" files<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2023\/03\/23\/windows-login-to-client-in-a-domain-extremely-slow-because-of-temp-files\/\" rel=\"bookmark\">Windows: Login to client in a domain extremely slow because of TEMP files<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]I'm posting another topic here on the blog that a reader asked me about at the beginning of May 2024. He notes that the Defender Core service under Windows 10 Pro was started unexpectedly just over a month ago. Since &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/05\/18\/windows-10-what-generates-masses-of-mat-debug-log-files\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[773,47,69,194],"class_list":["post-33971","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-defender","tag-issue","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33971"}],"version-history":[{"count":6,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33971\/revisions"}],"predecessor-version":[{"id":33982,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33971\/revisions\/33982"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}