This guide discusses two ways of increasing the log file size for Kernel Event Tracing ID 4. To recap, Event ID 4 from the Kernel-EventTracing source indicates that an Event Tracing for Windows (ETW) session has stopped due to reaching its maximum file size limit. By default, ETW sessions have a maximum file size of 64 MB, which could be insufficient for extended diagnostics or verbose logging scenarios.
Other reasons why you may want to increase the log size for Event ID 4 include:
- Preventing premature termination of ETW sessions
- Improving visibility into rate or infrequent kernel events
- Enabling continuous monitoring in production or test environments
- Resolving issues where trace buffers overflow too quickly
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Using Performance Monitor | ✓ | |
| Method 2: Using PowerShell | ✓ | ✓ |
Increasing ETW log size: Two methods to consider
Method 1: Using Performance Monitor
📌 Use Cases: This is best suited for individual users or IT pros managing standalone systems. It’s also ideal for scenarios where immediate access to a graphical interface is available or when scripting is unnecessary (or restricted).
📌 Prerequisites:
- This method applies to all Windows 11 editions.
- You must have administrator privileges.
- Target sessions should be visible under Event Viewer > Applications and Services Logs > Microsoft > Windows > Kernel-EventTracing.
- You must know which ETW session triggered the Event ID 4 error (e.g., Circular Kernel Context Logger).
Steps:
- Press Win + R, type perfmon, and click Enter.
💡 Tip: Do not use perfmon /report, which only shows system diagnostics. You need the full review.
- In the left-hand panel, look for a tree structure under your computer’s name. Expand Data Collector Sets, then Event Trace Sessions. You will see a list of active and predefined ETW sessions.
⚠️ Important: If you’re using a company-managed device, you may have limited access to this menu. In which case, you would only see “Monitoring Tools” and not “Data Collector Sets”. Use Method 2 as outlined instead.
- Locate and right-click the session noted in your Event ID 4 log. It’s usually named Circular Kernel Context Logger, but this can vary depending on your system or diagnostic tools.
- Right-click your desired session and select Properties to access configurable parameters.
- Go to the Stop Condition tab. From there, increase the Maximum Size (MB) from the default (typically 64 MB) to a larger value (such as 256 MB or more). This ensures that longer traces won’t be prematurely truncated.
- Click Apply, then Ok.
- To finalize, right-click the session again and choose Restart. If that option is unavailable, reboot the system to activate the new setting.
Method 2: Using PowerShell
📌 Use Cases: This is a great fallback if Method 1 is unavailable to you because you are working within a company-managed system. This method is also ideal for MSPs managing multiple systems remotely or those who prefer automation workflows.
📌 Prerequisites:
- You must have administrator-level PowerShell access.
- Target sessions should be visible under Event Viewer > Applications and Services Logs > Microsoft > Windows > Kernel-EventTracing.
- You must know which ETW session triggered the Event ID 4 error (e.g., Circular Kernel Context Logger).
- The logman command must be available (bundled with Windows by default).
💡 Tip: Need a refresher? Sign up for a free crash course, PowerShell for IT Ninjas.
Steps:
- Launch PowerShell as an administrator. To do this, right-click the Start menu and choose Windows Terminal (Admin) or PowerShell (Admin).
- (Optional but recommended) Verify access with logman by running this command:
logman query
If this command returns a list of sessions, you have sufficient access. If it fails with an error, your system may be locked down further by policy.
- Assign your session name to a variable:
$sessionName = "Circular Kernel Context Logger"
- Use the following command to increase the buffer to 256 MB. Adjust the value as needed.
logman update $sessionName -f bincirc -max 256
- Apply the change by stopping and restarting the session:
logman stop $sessionName && logman start $sessionName
💡 Note: Make sure to replace sessionName with the correct session name you found earlier (Event Viewer > Applications and Services Logs > Microsoft > Windows > Kernel-EventTracing).
How to confirm the new ETW log file size is in effect
Method 1: Verify through Performance Monitor (if available)
- Press Win + R, type perfmon, and click Enter.
- In the left panel, expand Data Collector Sets > Event Trace Sessions
- Right-click the session you modified (for example, Circular Kernel Context Logger), and select Properties.
- In the Stop Condition tab, confirm that the Maximum Size (MB) value reflects the size you just set, such as 256.
💡 Note: If this GUI option isn’t available due to access restrictions (common on company-managed devices), use PowerShell validation instead.
Method 2: Verify using PowerShell (using logman)
- Open PowerShell as an administrator
- Run the following command:
logman query "Circular Kernel Context Logger"
💡 Note: Replace “Circular Kernel Context Logger” with the session you previously modified.
- Look for a line that reads something like:
Maximum Size: 256 MB
💡 Note: This only applies if you changed the maximum limit to 256 MB. Make sure to look for a value that is a duplicate of whatever value you used in the methods listed above.
If you don’t see the expected value, re-run the logman update command as listed in Method 2, step 2, and restart the session to apply the changes.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Excessive log size (e.g., >1GB) | May consume disk space rapidly, especially on systems with limited storage. | Lower the size with logman update <SessionName> -max <SmallerSize> or via the Stop Condition tab in Performance Monitor. Monitor disk usage regularly. |
| Session not restarted after change | New settings won’t take effect until the session is restarted. Logging will continue with the old buffer size. | Run logman stop and logman start, or reboot the system. Always verify with logman query. |
| Changing the wrong session | Modifying an unrelated ETW session could interfere with vendor tools, diagnostics, or baseline performance logs. | Double-check session names. Use logman query to list available sessions. If unsure, revert settings using the same method with the original size value. |
| Insufficient permissions | Log size changes silently fail, especially in managed environments with GPO or RMM restrictions. | Ensure you’re running PowerShell as Administrator. If restricted, coordinate with your enterprise IT team or use approved RMM deployment templates. |
| Conflicts with other logging tools | Tools like Windows Performance Recorder or vendor-specific diagnostics may create overlapping sessions or override size limits. | Pause or disable other trace sessions temporarily while making changes. Restore original settings afterward if needed. |
| Event tracing disabled by policy | No changes will take effect if ETW itself is disabled or the Performance Logs & Alerts service is stopped. | Check if the pla service is running: Get-Service pla. If not, request permission or escalate to your security or endpoint admin. |
Additional considerations when increasing log size for Event ID 4
- This method works for default system sessions or vendor-specific trace sessions.
- Larger buffers consume more disk space. Ensure you have sufficient space before attempting to change the maximum log size.
- Increasing the log size can prevent repeated Event ID 4 errors in the system log.
Summary: Increasing Kernel Event Tracing ID 4
Increasing the ETW log file size for Kernel-EventTracing sessions is essential for preventing premature log truncation and capturing complete diagnostic data in Windows 11. There are two methods you can consider.
Related topics:
