thanks to others for helpful informations, i created a batch script for disabling almost all logs.
Note 1: Gaming service tracing logs needed for Xbox app, so its not included in my script, if you dont use Xbox app simply uninstall it or disable Gaming service and reboot to disable such tracing.
Note 2: UBPM tracing wont disable even if you disable related event logs registry (included in my script). i heard that its bonded into kernel.
Note 3: Script must run as Trustedinstaller to works correctly, otherwise accessing to some keys denied. if you have Nsudo path in your system environment variable, the script runs itself as Trustedinstaller using Nsudo, otherwise you need to manually run script with Nsudo or AdvancedRun or etc as Trustedinstaller.
here is my script for auto find all loggers in registry and disable them (i separated it into 2 parts to make it easier to understand, if you have Nsudo, merge 2 parts into one batch file, otherwise you need to run Part 2 as Trustedinstaller manually):
Part 1) check and run itself as Trustedinstaller
@echo off
setlocal & set runState=user
whoami /groups | findstr /b /c:"Mandatory Label\High Mandatory Level" > nul && set runState=administrator
whoami /groups | findstr /b /c:"Mandatory Label\System Mandatory Level" > nul && set runState=TISYSTEM
echo [42m Running in state: "%runState%" [0m
if "%runState%"=="TISYSTEM" (goto gotTISYSTEM) else (NSudoLG.exe -U:T -P:E -UseCurrentConsole "%~0" %* && exit /b)
:gotTISYSTEM
echo [42m Running as TtustesInstaller.[0m
Part 2) got Trustedinstaller privileges (main job)
@echo off
echo [33m Auto-find and Disable all WMI\AutoLogger [0m
echo [33m find all Auto-Loggers and set Enabled to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 0 /f
echo.
echo [33m find all Auto-Loggers and set Start to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Start"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Start" /t REG_DWORD /d 0 /f
echo.
echo.
echo.
echo [33m Auto-find and Disable all WINEVT [0m
echo [33m find all WINEVT items and set Enabled to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 0 /f
echo.
pause
exit
Extra step: some loggings arennt related to windows (like .Net apps that create some logs into C:\USERS\Your_User_Name\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS
), how we stop such thing? answer: by fooling windows, i learned it from someone in Ntlite forum, just delete that folder (for example USAGELOGS
), then create new text document but without extension and then rename it to that folder name, windows thinks that folder is existed so prevents you and apps from creating new folder with that name so apps cant create logs into that folder :)
im trying to create a script for this part too, i will update my post when it's ready.
Update1: Use new script here to avoid issue that breaks Ethernet network adapter when you disable/enable it. If you dont use Ethernet or dont disable it (always on), you can still use the old script to even suppress loggers more.