60178: Acronis True Image 2018: Active Protection logs in Windows

Also read in:

use Google Translate

Operating Systems: 

    Last update: 26-09-2017


    This article explains where to find logs of Active Protection service and driver in Windows.


    Acronis Active Protection service's logs

    Acronis Active Protection service executable anti_ransomware_service.exe has the following location:

    Windows 64-bit: "C:\Program Files (x86)\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

    Windows 32-bit: "C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe"

    In both 64 and 32-bit Windows versions it writes the logs to the folder C:\ProgramData\Acronis\ActiveProtection\Logs

    Each time the computer starts up, the service starts a new log file "C:\ProgramData\Acronis\ActiveProtection\Logs\anti_ransomware.0.log". You can open it using any text editor, e.g. Notepad:

    Older logs get archived into .gz format files to save disk space. To view the service logs before the last time computer started up or rebooted, you need to unpack .gz file using any archiver, for example, the free 7-Zip archiver.

    Logs in C:\ProgramData\Acronis\ActiveProtection\Logs\ are kept for 3 days and then are deleted.

    File protector driver's logs

    An important part of Active Protection is the file_protector driver, located at C:\WINDOWS\System32\drivers\file_protector.sys

    Its logs are written into the folder C:\ProgramData\Acronis\FileProtectorLogs

    Sort the files list either by "Date modified" or "Name" columns in descending order to locate the log file about the most recent driver's activity:

    File protector driver's logs are written in plain text and can be viewed in any text editor, for example, Notepad:

    A new file is started each time Acronis Active Protection service (anti_ransomware_service.exe) is started. File_protector driver's logs are not archived or compressed over time.

    If a single file protector's log file reaches 10 MB, a new log file is started automatically. When that happens, logs are also cleaned up: files older than 1 week are deleted, as well as oldest logs if the total size of all file protector's logs exceeds 50 MB. The 1-week retention rule and 50 MB-size rule are also applied to Active Protection service startup as well.

    These are user-mode logs, as opposed to kernel-mode logs.

    File protector driver's kernel-mode (debug) logs

    See https://kb.acronis.com/content/60180 on how to collect kernel-mode logs of file protector driver, also called file protector's debug logs. They could be useful if you are working directly with Acronis on an issue with the Active Protection feature.