Your C drive is losing space even though you did not install anything new. You check your disk usage and discover a large .etl file in the Windows system folder. This file is created by pktmon, the built-in packet monitor tool that runs in the background.
pktmon captures network traffic and writes the data to a log file. When a process or a scheduled task starts pktmon without a stop command, the log file grows until it fills the drive. This article shows you how to find and delete the pktmon capture file and how to stop the capture permanently so it does not return.
Key Takeaways: Stopping pktmon and Reclaiming Disk Space
- pktmon stop command in an elevated Command Prompt: Stops an active capture immediately and closes the log file.
- Deleting the .etl file from C:\Windows\System32\LogFiles: Recovers disk space by removing the captured data.
- Task Scheduler > Disable pktmon-related tasks: Prevents pktmon from starting automatically at boot or on a schedule.
Why pktmon Captures Data in the Background and Fills the C Drive
pktmon is a command-line network diagnostic tool included in Windows 11. It captures network packets and writes them to an Event Trace Log file with a .etl extension. The tool is typically used by IT administrators to troubleshoot network issues. When a user or a scheduled task runs pktmon start without specifying a maximum file size or a stop command, the capture runs indefinitely.
The log file is stored in C:\Windows\System32\LogFiles by default. On a busy network, pktmon can write hundreds of megabytes or even gigabytes of data per hour. The file grows until the drive is full because there is no built-in size limit unless you configure one. The most common causes are a forgotten manual start, a script that did not include a stop command, or a scheduled task that starts pktmon at boot.
Common Scenarios That Trigger Background pktmon Captures
A user may run pktmon start during a network troubleshooting session and forget to stop it. A third-party network monitoring tool may call pktmon internally and fail to stop it. Windows itself does not start pktmon automatically, but a Group Policy setting or a startup script can enable it without the user knowing.
Steps to Stop pktmon and Delete the Capture File
You need administrator privileges to stop pktmon and delete the log file. The process involves three steps: stopping the capture, removing the file, and preventing automatic restarts.
- Open Command Prompt as Administrator
Click Start, type cmd, right-click Command Prompt in the search results, and select Run as administrator. Click Yes in the User Account Control prompt. - Check if pktmon is running
Typepktmon statusand press Enter. The output shows whether a capture is active. If it says “Status: Running,” proceed to the next step. If it says “Status: Not running,” the capture has already stopped, but the log file may still exist on disk. - Stop the capture
Typepktmon stopand press Enter. The command stops the active capture and closes the .etl file. No output means the command succeeded. - Delete the log file
Typedel C:\Windows\System32\LogFiles\PktMon.etland press Enter. If you see “Access Denied,” the file is still in use. Restart your computer and try again immediately after logging in. Alternatively, use File Explorer to navigate to C:\Windows\System32\LogFiles, locate PktMon.etl, right-click it, and select Delete. Provide administrator permission if prompted. - Verify disk space is recovered
Open File Explorer, right-click the C drive, and select Properties. The free space should increase by the size of the deleted .etl file. You can also rundir C:\Windows\System32\LogFilesin Command Prompt to confirm the file is gone.
Prevent pktmon from Starting Automatically
If pktmon starts again after a reboot, a scheduled task or a startup script is responsible. Disable the scheduled task to stop the automatic capture.
- Open Task Scheduler
Click Start, type Task Scheduler, and open the app. - Browse to the pktmon task
In the left pane, expand Task Scheduler Library > Microsoft > Windows > Network. Look for a task named PktMon or Packet Monitor. If you do not see it, expand other folders such as Diagnostics or Performance. - Disable the task
Right-click the task and select Disable. A disabled task does not run on any trigger. - Check Group Policy
Typegpedit.mscin the Run dialog and press Enter. Navigate to Computer Configuration > Administrative Templates > Network > Network Diagnostics. Look for a policy named “Configure Network Packet Monitor” or similar. If it is set to Enabled, change it to Not Configured or Disabled.
If pktmon Still Fills the Drive After the Main Fix
Sometimes the capture file reappears even after you delete it and disable the scheduled task. These scenarios explain why and how to resolve them.
“Access Denied” When Trying to Delete PktMon.etl
The file is locked by a running process. The pktmon service itself holds the file open while capturing. Run pktmon stop first. If the file remains locked, restart the computer and delete the file immediately after logging in, before any network-heavy applications start. If the problem persists, boot into Safe Mode and delete the file from there.
pktmon Starts Again After a Windows Update
A Windows Update may re-enable the scheduled task or reset the Group Policy setting. After the update, repeat the steps to disable the task in Task Scheduler. To make the change persistent, create a local Group Policy that explicitly disables the Network Packet Monitor diagnostic.
Third-Party Antivirus or Monitoring Software Triggers pktmon
Some security or network monitoring tools call pktmon to capture traffic. Check the documentation of your installed security suite. If you identify the software, disable the packet capture feature within that tool or uninstall the software if it is not needed.
Manual Stop vs Scheduled Task Disable: Effectiveness Comparison
| Item | Manual pktmon Stop | Disable Scheduled Task |
|---|---|---|
| Description | Stops the active capture immediately and closes the log file | Prevents pktmon from starting on any future trigger |
| Effect on existing file | Frees the file so it can be deleted | Does not affect an existing file |
| Effect on future captures | Capture stops until pktmon start is run again | Capture never starts automatically |
| Persistence after reboot | Capture does not restart unless a task or script starts it | Capture does not restart because the task is disabled |
| When to use | Immediate disk space recovery | Permanent prevention of background captures |
You now know why pktmon fills the C drive and how to stop it. Run pktmon stop and delete the .etl file to reclaim space immediately. Then disable the scheduled task in Task Scheduler to prevent the capture from restarting. For advanced control, use pktmon start –etw -p 0 to run a capture with a zero-size circular buffer that never writes to disk.