Identifying Potential Performance Optimization Rules From Procmon
search cancel

Identifying Potential Performance Optimization Rules From Procmon


Article ID: 286717


Updated On:


Carbon Black App Control (formerly Cb Protection)


Identify potential processes and paths that may help improve Agent performance with a Performance Optimization (PO) Rule


  • App Control: All Supported Versions
  • Windows: All Supported Versions


  1. Capture the ProcMon logs by following these steps.
  2. In the resulting capture go to Tools > File Summary > By Path > sort the columns by Writes.
    • Note the Paths with the most writes, as these may identify Specific Paths to use in the PO Rule.
    • Double click on the Path with the most writes to filter by Path and determine the Process(es) writing there.
  3. To identify the Process Path, double click the Process Name > click the Process tab > copy the Path value.
  4. Use the resulting File Path(s) and Process(es) to create a PO Rule accordingly.

Additional Information

  • There is no guarantee this will alleviate all performance issues, but it gives a starting place
  • A PO Rule only ignores Reads, Writes, Creates and Renames not the execution of an application
  • A PO Rule should never be used with files that are expected to execute, as this will negatively impact performance and cause unexpected blocks.
  • If needed, a support case with the full Agent Performance Logs may be necessary.