Discussion: Sleep Study

[Hellbovine]

I was researching how to disable the SleepStudy feature in Windows 10, which creates a bunch of .etl files, and runs on my computer although it has all forms of power savings disabled. I found an article by the Microsoft Defrag Tools team (link) and e-mailed them, asking how to disable it. I got a reply back (we discussed a few things), and the interesting bits are below.

1) Microsoft's policy is to avoid removing features once they are implemented, which is why each new Windows gets heavier with time.

2) To disable this feature run schtasks /change /tn "\microsoft\windows\power efficiency diagnostics\analyzesystem" /disable or go to Start > Windows Administrative Tools > Task Scheduler > expand the tree > Task Scheduler Library > Microsoft > Windows > Power Efficiency Diagnostics > right-click on the "AnalyzeSystem" trigger > disable/delete

 

[MacVap]

Hellbovine Care to share how to disable Sleep Study? I have heavily lited & tweaked Win10 with ALL scheduled tasks disabled and the little bugger still appears.

 

[garlin]

You want to disable/delete Sleep Study's reporting task, and (optionally) stop the ETL providers supplying performance data.

schtasks /delete /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /f

wevtutil sl Microsoft-Windows-SleepStudy/Diagnostic /e:false
wevtutil sl Microsoft-Windows-Kernel-Processor-Power/Diagnostic /e:false
wevtutil sl Microsoft-Windows-UserModePowerService/Diagnostic /e:false

From NTLite, you can disable AnalyzeSystem task and by default all those ETL providers are disabled. There's a couple of more PnP Diagnostic providers, but you probably should keep them for normal error reporting.

                <ScheduledTasks>
                        <TweakGroup name="Tree\Microsoft\Windows\Power Efficiency Diagnostics">
                                <Tweak name="AnalyzeSystem\AnalyzeSystem">remove</Tweak>
                        </TweakGroup>
                </ScheduledTasks>

 

[Deleted member 8142]

Very dirty trick to lock sleepstudy for any user access which is found in system32 directory of w10.

Powershell -C "Write-Host 'Removing Everbody Access' -ForegroundColor Green"
icacls "%Windir%\System32\SleepStudy" /setowner "NT AUTHORITY\LOCAL SERVICE"
echo y| cacls.exe "%Windir%\System32\SleepStudy" /S:"DAI(D;OICI;DCLCRPCR;;;WD)(D;OICI;FA;;;AN)"

 

[Clanger]

dirty trick? i like a good kludge

 

[Hellbovine]

Care to share how to disable Sleep Study? I have heavily lited & tweaked Win10 with ALL scheduled tasks disabled and the little bugger still appears.

Sorry, I wasn't at my desktop computer when I posted this. It looks like Garlin already addressed it, but just for completeness I updated the main post with what the Microsoft guys told me, for how to disable/delete it.

 

[MacVap]

My Win10 install in a VM (the penultimate LTSC) was butchered with multiple tools (I know, a big no-no), Performance logs and alerts was taken out so I can not see/disable ETL providers in a regular way. Nevertheless, they are disabled in the registry (almost all); and ALL scheduled tasks are disabled (because of my experience in Win8.1, when deleted tasks were recreated, I just disable them running as Trusted Installer). Does that mean that Windows re-enables some of them? Possible, but I haven't caught it.

Anyway, this is begging for a fresh install, I just don't have the time...

 

[Hellbovine]

Yeah, Windows reactivates a lot of things, it will actually change your power plan without your knowledge or consent, it reverts registry keys, and even reinstalls features. There's a ton of self-healing capabilities in Windows 10 and 11. The only real way to avoid that is to not use Windows Update and other related features after Windows has been installed.

 

[Deleted member 8142]

Not with me M$ cant do anything on my machine without my acknowledgement .

 

[DAOWAce]

Thanks for this, was the only post I could find googling that actually had a solution to disable the system entirely.

Updated to v2004 from v1703 earlier this year, seems to have re-enabled itself as the logs start in March, despite the system being installed since 2017.

If only there were ways to find solutions like this to other problems that don't involve using LTSC. Searching online is atrocious when it's a fraction of a fraction of people who are talking about advanced things like this.

 

[Techie007]

You want to disable/delete Sleep Study's reporting task, and (optionally) stop the ETL providers supplying performance data.

schtasks /delete /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /f

wevtutil sl Microsoft-Windows-SleepStudy/Diagnostic /e:false
wevtutil sl Microsoft-Windows-Kernel-Processor-Power/Diagnostic /e:false
wevtutil sl Microsoft-Windows-UserModePowerService/Diagnostic /e:false

From NTLite, you can disable AnalyzeSystem task and by default all those ETL providers are disabled. There's a couple of more PnP Diagnostic providers, but you probably should keep them for normal error reporting.

                <ScheduledTasks>
                        <TweakGroup name="Tree\Microsoft\Windows\Power Efficiency Diagnostics">
                                <Tweak name="AnalyzeSystem\AnalyzeSystem">remove</Tweak>
                        </TweakGroup>
                </ScheduledTasks>

This isn't working for me in Windows 11 Pro 25H2. I had already deleted all the Power Efficiency Diagnostics tasks and folder, and the three event logs above are disabled by default, yet the creation of new files and constant writing in the C:\Windows\System32\SleepStudy folder continues as before.
Digging deeper, I found the ETLs in that folder (which consumed about 1GB over 1000 files on my system) are being created by a dynamically started Event Trace Session named SleepStudyTraceSession, apparently set up on the fly by the Power service as it doesn't appear in the Startup Event Trace Sessions list. Looking into possible settings, I found four candidates in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power:

1. SleepReliabilityDetailedDiagnostics: Found on the Internet, but a boot trace determined this value is never queried.
2. SleepStudyDeviceAccountingLevel: Present with a value of 4, but not only could I find no documentation on what other values would do, a boot trace determined this value is never queried.
3. SleepStudyDisabled: Found on the Internet, but a boot trace determined this value is never queried.
4. SleepStudyTraceDirectory: Found in the boot trace, and usage appears to be straightforward.

The last one (#4), works. I set the trace directory to "?:\?" (an invalid path) and the SleepStudyTraceSession is no longer created, no more files are created in the SleepStudy folder, the whole folder can be removed, and it no longer comes back. I have not yet found any errors or undesirable behavior resulting from this tweak:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v SleepStudyTraceDirectory /d "?:\?" /f

 

[tistou77]

The last one (#4), works. I set the trace directory to "?:\?" (an invalid path) and the SleepStudyTraceSession is no longer created, no more files are created in the SleepStudy folder, the whole folder can be removed, and it no longer comes back. I have not yet found any errors or undesirable behavior resulting from this tweak:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v SleepStudyTraceDirectory /d "?:\?" /f

I confirm that this works, the directory and content is not recreated during Windows installation when the SleepStudy component is removed from the image (registry key added automatically).

 

[AeonX]

The last one (#4), works. I set the trace directory to "?:\?" (an invalid path) and the SleepStudyTraceSession is no longer created, no more files are created in the SleepStudy folder, the whole folder can be removed, and it no longer comes back. I have not yet found any errors or undesirable behavior resulting from this tweak:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v SleepStudyTraceDirectory /d "?:\?" /f

Thanks, great find. But unfortunately it doesn't work on Windows 10. The SleepStudy folder is created and files continue to be generated.

The Event Trace Session name in Windows 10 is different. It's called UserNotPresentSession.

 

[Techie007]

So I did some digging in Windows 10 and found that it loads a driver "C:\Windows\system32\drivers\SleepStudyHelper.sys" very early in the boot process (like right after ntoskrnl.exe, hal.dll, kd.dll—it's around the 20th action during the pre-boot phase). Windows 11 does not have this driver. I can't seem to find the list where Windows is being told to load this driver—if we could find this, we could probably tell it not to load, possibly disabling SleepStudy in Windows 10. Worth noting, Process Monitor manages to set itself at literally the first place on this list. To investigate further, perhaps I can try to run a trace while enabling Boot Tracing to see what file/registry Process Monitor is modifying to get itself on this early load list.

Next, I looked for possible settings and found these candidates in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power for Windows 10:

1. SleepStudyActiveThresholdPercent: Found in a boot trace, doesn't seem to be helpful (I tried 0 and FFFFFFFF).
2. SleepStudyBufferSizeInMB: Found in a boot trace, doesn't seem to be helpful (I tried 0 and FFFFFFFF).
3. SleepStudyDeviceAccountingLevel: Present with a value of 4, but not only could I find no documentation on what other values would do, a boot trace determined this value is never queried.
4. SleepStudySessionThresholdSeconds: Found in a boot trace, doesn't seem to be helpful (I tried 0 and FFFFFFFF).

I did not find any interesting values outside that key (there were several drivers with SleepstudyState values, but those appear to be status markers or device exclusion flags, not a global setting for the SleepStudy feature itself).

That leaves me to try messing with access to the C:\Windows\System32\SleepStudy folder itself. I bet if you delete the folder and put a file in its place with the same name (so it can't recreate the folder or put files in it), this will disable SleepStudy on Windows 10 just like setting an invalid path did on Windows 11. Problem is, the folder contains files in use, so you can't just delete it. So one would need to create an empty file in system32, and set a pending boot time delete+rename operation in place to accomplish this.

 

[AeonX]

I bet if you delete the folder and put a file in its place with the same name (so it can't recreate the folder or put files in it), this will disable SleepStudy

Thanks, that's what I do. I can delete the folder without any problems. I don't know if it's because I make several tweaks. I disable all Event Log channels.