Distinguish which of the high number of svchost processes is affected

[Jackie78De]

Hello,

I use PAL Reports frequently, but one thing that is really painful is the fact that if you have high CPU usage caused by one of the numerous svchost-processes, you actually only get a sequential number (i.e. svchost#42), but no further information.

It would be really helpful if PAL reports would collect the Process ID and the commandline parameters so that a user can find out which of the actual hosted services is causing a problem. Without that information, it's only guessing, or am I missing something? Could this be implemented?

[jeffstokes72]

You need to enabled PIDness in perfmon to show it. It's a regedit done on the system you collect data from.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/perfmon-identifying-processes-by-pid-instead-of-instance/ba-p/374561

On Tue, Jan 26, 2021 at 4:29 AM Jackie78De notifications@github.com wrote:

Hello,

I use PAL Reports frequently, but one thing that is really painful is the fact that if you have high CPU usage caused by one of the numerous svchost-processes, you actually only get a sequential number (i.e. svchost#42), but no further information.

It would be really helpful if PAL reports would collect the Process ID and the commandline parameters so that a user can find out which of the actual hosted services is causing a problem. Without that information, it's only guessing, or am I missing something? Could this be implemented?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clinthuffman/PAL/issues/64, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFOL6L3VWE222HT3BPEPF3S32DRLANCNFSM4WTEH3RA .

[jeffstokes72]

Sorry just noticed your command line comment. Perfmon is unable to distinguish cmdline, ergo PAL cannot distinguish it. PAL is just transforming blg/csv/tsv data into an HTML report. So we're limited by what Perfmon can see (this is why for high CPU scenarios perfmon isnt very helpful at times. What dll inside the process was high on CPU? Perfmon can't tell. What stack/function? same issue).

On Tue, Jan 26, 2021 at 8:13 AM Jeff Stokes notifications@github.com wrote:

You need to enabled PIDness in perfmon to show it. It's a regedit done on the system you collect data from.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/perfmon-identifying-processes-by-pid-instead-of-instance/ba-p/374561

On Tue, Jan 26, 2021 at 4:29 AM Jackie78De notifications@github.com wrote:

Hello,

I use PAL Reports frequently, but one thing that is really painful is the fact that if you have high CPU usage caused by one of the numerous svchost-processes, you actually only get a sequential number (i.e. svchost#42), but no further information.

It would be really helpful if PAL reports would collect the Process ID and the commandline parameters so that a user can find out which of the actual hosted services is causing a problem. Without that information, it's only guessing, or am I missing something? Could this be implemented?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clinthuffman/PAL/issues/64, or unsubscribe < https://github.com/notifications/unsubscribe-auth/ACFOL6L3VWE222HT3BPEPF3S32DRLANCNFSM4WTEH3RA

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clinthuffman/PAL/issues/64#issuecomment-767532572, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFOL6NPA66YO2YR6P76AX3S325XLANCNFSM4WTEH3RA .

[clinthuffman]

Yes, I agree that resolving the svchosts to their respective service names would be great, but unfortunately, counter logs do not contain that information. This is why I recommend using CLUE (http://github.com/clinthuffman/clue) which is my performnace data collection tool to collect the counter log, output of tasklist /svc, event logs, and ETW traces at the time of the high CPU, disk, or memory condition. CLUE is designed to be fully automatic and as low overhead as possible when collecting this data and is used frequently by Windows support teams around the world. Counter logs collected by CLUE can be analyzed by Perfmon and using the *\Process()\ID Process**, you can identify the process ID of the svchost which can be cross referenced in the tasklist output to resolve it to the service name.

[clinthuffman]

Also, the ETW trace that CLUE collects has all of the command line parameters for all of the processes.