Collecting Endpoint Protection WPP logs in a non-persistent virtual device infrastructure (NPVDI) environment.
Last Updated July 03, 2019
For debugging purposes, support needs to collect Windows Software Trace Preprocessor (WPP) logs from a computer, but the system in question is a non-persistent virtual device and log files must be collected before login or are lost at shutdown.
Symantec Endpoint Protection
Any non-persistent virtual device environment (Citrix, VMWare, Microsoft App-V, etc)
No specific errors. WPP logging is generally captured in instances where the normal product error messages and logs are insufficient for troubleshooting.
WPP capture is needed at system startup or shutdown, so the SymDiag tool cannot be used.
This requires a persistent disk attached to the NPVDI, and changes made to the registry on the NPVDI image. You must also create a symbolic link on the NPVDI image. These instructions assume that the persistent disk is mapped to D.
Before making any changes, you must disable Tamper Protection and stop the Endpoint Protection client services with the smc -stop command.
Once you have made the registry changes to enable WPP logging, you will need to create a folder on your persistent disk to hold the logs and create a symbolic link from the current log location to the new log location.
Rename C:\ProgramData\Symantec\Symantec Endpoint Protection\<version number\Data folder to Logs.old
Make a folder on the D drive named Redirect, or any name you like
From an elevated (Run as Administrator) command line, create a symbolic directory link for a new Logs folder and point it to the D drive, like:
At this point, you would write these changes back to your NPVDI image master, or to a new image master for testing. If you write these changes to your baseline image, you will need to remove the Logs symbolic link and revert the Logs.old folder name change after collecting data.
After a reboot, you should see all of our logs being written to D:\Redirect, including the SEPAutoTraceSession_<date>_<time>.etl file that contains the WPP logs. At that point, reproduce the issue, collect the contents of the D:\Redirect folder, and submit them to the case.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe