On some Windows servers, we’ve noticed that .ETL files are being created in the temporary directory (C:\Windows\Temp\dynatrace\oneagent\...). These servers are running the OneAgent in full‑stack mode and host IIS applications.
We recently experienced a situation where the CPU reached 100% usage, and the process Antimalware Service Executable (Windows Defender) was responsible for the spike. This raises the question of whether these ETL files or the OneAgent temp directory might be triggering excessive antivirus scanning.
Does anyone know which OneAgent component generates these ETL files and whether this behavior is expected on IIS servers running in full‑stack mode?
Are these files safe to delete, and could they indicate any configuration or instrumentation issue?
Finally, would it be advisable to exclude these ETL files or the entire OneAgent temp directory from our antivirus scans to avoid CPU spikes?
We had the same issue and did exception for the C:\Windows\Temp\dynatrace\oneagent in Defender.
Then it stopped using CPU and stopped having .etl files constantly open i Defender.
Also did a performance recording in Defender to check what uses most resources.
This is a 4 min recordning on a test server that dont have that much load.
Featured Posts
