What is stored in %Windir%\System32\LogFiles\WMI\RtBackup?

Solution 1:

I found the answer myself after digging around some more.

The directory C:\Windows\System32\LogFiles\WMI\RtBackup stores ETW trace files (extension .etl) for real time event trace sessions. Looking into the RtBackup directory is a little difficult because by default only System has permissions, but my application SetACL Studio can display the contents anyway. When putting the directory's content next to the list of running event trace sessions, one immediately notices the similarities:

Not every event trace session generates a file in the directory RtBackup. As the directory's name implies, it stores backups for real time trace sessions. Comparing the list of files in RtBackup to each trace session's properties confirms this:

Solution 2:

I was hoping this would be an easy answer, but I guess I would have to force a read/write of the file or know when it is happening. In any event, this is what I tried hoping for a quick one-off. You will need the handle utility from SysInternals.

\path\to\handle.exe | find /i "etl"

Good luck and happy hunting.