Windows 11 Enterprise (23H2) virtual machines running VMware Tools version 12.4.5 may report a high volume of EventID 0 in the System event logs. The log entry indicates Detected unrecognized USB driver (\Driver\CSDeviceControl). This behavior is triggered by the Euchcmon.sys driver (version 12.14.15.0) when it encounters the CrowdStrike security driver. The volume of these messages can lead to the System event log reaching its maximum size prematurely, causing the loss of historical event data.

VMware vSphere 8.x

VMware Tools Version: 12.4.5

Windows 11 Enterprise 23H2

The VMware User Experience Host Controller Monitor driver (Euchcmon.sys) does not recognize the third-party CrowdStrike USB filter driver and logs an informational event for every detection instance.

To suppress these messages, you can modify the VMware Tools configuration to restrict logging to error-level events only.

1. Navigate to the VMware Tools installation directory (typically C:\ProgramData\VMware\VMware Tools\).

2. Open the tools.conf file in a text editor with administrative privileges. If the file does not exist, create it.

3. Add or modify the following lines to set the logging level to error:

   Plaintext

    

   [logging]
   vmusr.level = error
   vmsvc.level = error
   

4. Save the file.

5. Restart the VMware Tools service for the changes to take effect.

Alternatively, if USB monitoring is not required for the virtual endpoint, disabling the USB monitoring feature within VMware Tools will stop the generation of these events, though this will impact User Plug and Play options.

For more information on modifying log levels in VMware Tools, see the article: Enabling debug logging for VMware Tools within a guest operating system.