How to enable Symantec Endpoint Protection (SEP) client debugging that includes WPP logs.
Before enabling SEP Client Debugging, disable Tamper Protection to allow changing the following registry values.
To enable SEP Client Debugging go to:
- 32-bit: HKLM\Software\Symantec\Symantec Endpoint Protection\DebugLogging
- 64-bit: HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\DebugLogging
*Note: If the DebugLogging key is not present, it will need to be created.
The settings available are:
- (DWORD) Enabled
- 1 = Logging is enabled.
- 0 = Logging is disabled.
- (DWORD) DurationMS
- The duration in milliseconds that logging will be enabled for after SepMasterService starts.
- The logging begins immediately after the SepMasterService starts and ends when the duration specified is reached or when the MaxFilesizeMB limit is met.
- (DWORD) MaxFilesizeMB
- The max file size limit in megabytes for each individual log file that is created (currently not supported by VPDebug, so this is only supported by WPP). This setting will need to be increased if the DurationMS value is increased.
- When the size limit specified is reached, logging will automatically stop.
- (DWORD) MaxFiles
- The maximum number of old log files to keep before starting a new log.
- Files are deleted based on the timestamp in their name, so changing the system time can affect the order in which files get phased out.
Add the following recommended registry DWORD values (Decimal) to enable debugging and WPP logging:
- Enabled (1)
- DurationMS (604800000)
- MaxFilesizeMB (800)
- MaxFiles (1)
Based on a current known issue, only 1 WPP .etl file will be generated for the MaxFiles value. Workaround is to increase MaxFilesizeMB value to something like 800 MB or more if necessary.
The DurationMS value 604800000 will allow the logging to occur for 1 week. If additional time is necessary to reproduce an issue, the DurationMS value can be set to 1209600000 that will allow logging to occur for 2 weeks, this is the maximum value for the DurationMS logging.
Changing these settings requires a restart of the SEP client services.
Restart the Symantec Management Client (SMC)
Click Start, and in the Search programs and files field, enter the following command:
Alternately, click Start > Run, enter the command, and then click OK.
After the Symantec Endpoint Protection icon disappears from the notification area, repeat Step 1, but instead use the following command:
SEP Client Debugging enables the following logging:
When enabled, the SMC and Sylink logs are mirrored to WPP logs rather than written to their plain text files. The output will be two files named:
These files will be located in:
- XP 32-bit: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\
- Windows 7 64-bit: C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\