How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs.

Article:TECH171176  |  Created: 2011-10-05  |  Updated: 2013-03-25  |  Article URL
Article Type
Technical Solution


How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs.


Before enabling Automatic Client Debugging, disable Tamper Protection to allow changing the registry.

To enable Automatic Client Debugging go to:

  • 32-bit:  HKLM\Software\Symantec\Symantec Endpoint Protection\DebugLogging
  • 64-bit:  HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\DebugLogging

*Note: If the DebugLogging key is not present, it will need to be created.

The settings available are:

  • (DWORD) Enabled
    • 1 = Logging is enabled.
    • 0 = Logging is disabled.
  • (DWORD) DurationMS
    • The duration in milliseconds that logging will be enabled for after SepMasterService starts.
    • The logging begins immediately after the SepMasterService starts and ends when the duration specified is reached or when the MaxFilesizeMB limit is met.
  • (DWORD) MaxFilesizeMB
    • The max file size limit in megabytes for each individual log file that is created (currently not supported by VPDebug, so this is only supported by WPP). This setting will need to be increased if the DurationMS value is increased.
    • When the size limit specified is reached, logging will automatically stop.
  • (DWORD) MaxFiles
    • The maximum number of old log files to keep before starting a new log.
    • Files are deleted based on the timestamp in their name, so changing the system time can affect the order in which files get phased out.

If any of the above registry values do not exist, they have a default hard-coded value which is:

  • Enabled(0)
  • DurationMS(600000)
  • MaxFilesizeMB(50)
  • MaxFiles(10)

This logging is off by default.  If any of the non-default settings are required, the corresponding registry value will have to be explicitly created.

Changing these settings requires a restart of the SEP client services.


Automatic Client Debugging will enable the following logging automatically:

  • SMC
  • Sylink
  • VPDebug
  • WPP

When enabled, the SMC and Sylink logs are mirrored to WPP logs rather than written to their plain text files.  The output will be two files named:

  • SEPAutoTraceSession_YYMMDD_HHMMSS.etl

These files will be located in:

  • XP 32-bit: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\
  • Windows 7 64-bit: C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\

Article URL

Terms of use for this information are found in Legal Notices