Agent CPU performance profiling

book

Article ID: 206505

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Suite

Issue/Introduction

You want to obtain CPU performance profiling to examine performance beyond what is possible via FINEST agent logging.

Resolution

There are two ways to approach this, with Windows Performance Recorder we can get an ETL file that can be read by Windows Performance Analyzer that gives a really good overview of user mode code activity. With a low altitude Procmon, we can get file, registry, network and process activity including kernel driver activity. However, the Procmon output is a bit harder to examine purely from a call stack frequency perspective.

WPR Trace
  1. Set the test agent's logs to finest via the Enforce console.
  2. In an elevated command prompt run: wpr.exe -start CPU.
  3. Recreate issue.
  4. In an elevated command prompt run: wpr.exe -stop AgentCPU.etl.
  5. Gather AgentCPU.etl file and agent logs via the Enforce console and submit to support.
Procmon Capture (looking for VEP and SNP effect on network file transfers)
  1. Set the test agent's logs to finest via the Enforce console.
  2. Download the low altitude Procmon attachment from the following KB: https://knowledge.broadcom.com/external/article?articleId=171153
  3. Start the Procmon trace.
  4. Recreate issue.
  5. Stop and save Procmon trace.
  6. Gather Procmon trace and agent logs via the Enforce console and submit to support.

Additional Information

Note: Both of these profiling methods are very resource intensive and should be done as tightly around the issue recreation window as is possible.