Open rayfo opened 1 month ago
I agree that Defender information may be very useful for understanding performance issues and, for this reason, I support brining back Defender.wpaProfile and AntiMalware.regions.xml.
More info on tracing Defender:
AntiMalware.regions.xml has regions-of-interest for the following providers:
4ee76bd8-3cf4-44a0-a0ac-3937643e37a3
Microsoft-Windows-CodeIntegrity
8e92deef-5e17-413b-b927-59b2f06a3cfc
Microsoft-Antimalware-RTP
0a002690-3839-4e3a-b3b6-96d8df868d99
Microsoft-Antimalware-Engine
751ef305-6c6e-4fed-b847-02ef79d26aef
Microsoft-Antimalware-Service
cfeb0608-330e-4410-b00d-56d8da9986e6
Microsoft-Antimalware-AMFilter (adding)
68621c25-df8d-4a6b-aabc-19a22e296a7c
Microsoft-Antimalware-Engine-Instrumentation (adding / expensive!)
65a1b6fc-4c24-59c9-e3f3-ad11ac510b41
Microsoft.Windows.Sense.Client (adding)
NOTES:
WPR -Providers
I have restored: .\WPAP\Defender.wpaProfile and AntiMalware.regions.xml
I created a new WPR Profile "AntiMalware" within .\WPRP\Defender.15002.wprp . It is tailored for the restored Regions-of-Interest file AntiMalware.regions.xml, plus a couple of particularly useful events. (I also updated the "DefenderFull" profile therein to contain a superset of these events.)
The profile "AntiMalware.Light" traces the following ETW Providers / Events:
Microsoft.Windows.Sense.Client {65a1b6fc-4c24-59c9-e3f3-ad11ac510b41} <all events>
Microsoft-Antimalware-Engine {0a002690-3839-4e3a-b3b6-96d8df868d99} 1 ScanRequest - Start 2 ScanRequest - Stop 5 StreamScanRequest - Start 6 StreamScanRequest - Stop 30 UfsScanFile - Start 31 UfsScanFile - Stop 32 UfsScanProc - Start 33 UfsScanProc - Stop 43 ExpensiveOperation - Start 67 ExpensiveOperation - Stop
Microsoft-Antimalware-AMFilter {cfeb0608-330e-4410-b00d-56d8da9986e6} 9 FileScan - Start 11 FileScan - Result
Microsoft-Antimalware-RTP {8e92deef-5e17-413b-b927-59b2f06a3cfc} 23 DlpPerfOperation - Start 24 DlpPerfOperation - Stop 27 RTPFileScanResult - Useful
Microsoft-Antimalware-Service {751ef305-6c6e-4fed-b847-02ef79d26aef} 1 ServiceOnDemand - Start 2 ServiceOnDemand - Stop
Microsoft-Windows-CodeIntegrity {4ee76bd8-3cf4-44a0-a0ac-3937643e37a3} 3007 PageHashFoundInImageCertificate - Useful 3011 LoadCatalog - Stop 3012 LoadCatalog - Start 3013 ReloadCatalogs - Start 3014 ReloadCatalogs - Stop 3015 ValidateFileHash - Start 3016 ValidateFileHash - Stop 3017 ValidatePageHash - Start 3018 ValidatePageHash - Stop 3038 ValidateImageHeader - Start 3039 ValidateImageHeader - Stop 3040 GetFileCache - Start 3041 GetFileCache - Stop 3042 SetFileCache - Start 3043 SetFileCache - Stop
The profile "Antimalware.Verbose" adds the following, very expensive ETW Provider. (It reveals expensive Defender behavior.)
Microsoft-Antimalware-Engine-Instrumentation {68621c25-df8d-4a6b-aabc-19a22e296a7c} 1 DataDrivenSignature - Start 2 DataDrivenSignature - Stop
To confirm this, run:
WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!AntiMalware.Light" -FileMode
WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!AntiMalware.Verbose" -FileMode
WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!DefenderFull" -FileMode
(Note that when Defender.wprp is specified in the script, Defender.15002.wprp will be loaded if it's WPR v10.15002+ .)
I have changed the tracing scripts to refer to: .\WPRP\Defender.wprp!AntiMalware.Light TraceCPU, TraceFileDiskIO, TraceMondo, TraceOffice, TraceOutlook, BETA\TraceEdgeChrome
These are the events from !AntiMalware.Light that I'm able to produce on my Win11 Service device at home:
Microsoft.Windows.Sense.Client {65a1b6fc-4c24-59c9-e3f3-ad11ac510b41}
<all events>
Microsoft-Antimalware-Engine {0a002690-3839-4e3a-b3b6-96d8df868d99}
1 ScanRequest - Start
2 ScanRequest - Stop
5 StreamScanRequest - Start
6 StreamScanRequest - Stop
30 UfsScanFile - Start
31 UfsScanFile - Stop
32 UfsScanProc - Start
33 UfsScanProc - Stop
43 ExpensiveOperation - Start
67 ExpensiveOperation - Stop
Microsoft-Antimalware-AMFilter {cfeb0608-330e-4410-b00d-56d8da9986e6} 9 FileScan - Start 11 FileScan - Result
Microsoft-Antimalware-RTP {8e92deef-5e17-413b-b927-59b2f06a3cfc}
23 DlpPerfOperation - Start
24 DlpPerfOperation - Stop
27 RTPFileScanResult - Useful
Microsoft-Antimalware-Service {751ef305-6c6e-4fed-b847-02ef79d26aef} 1 ServiceOnDemand - Start 2 ServiceOnDemand - Stop
Microsoft-Windows-CodeIntegrity {4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}
3007 PageHashFoundInImageCertificate - Useful
3011 LoadCatalog - Stop
3012 LoadCatalog - Start
3013 ReloadCatalogs - Start
3014 ReloadCatalogs - Stop
3015 ValidateFileHash - Start
3016 ValidateFileHash - Stop
3017 ValidatePageHash - Start
3018 ValidatePageHash - Stop
3038 ValidateImageHeader - Start
3039 ValidateImageHeader - Stop
3040 GetFileCache - Start
3041 GetFileCache - Stop
3042 SetFileCache - Start
3043 SetFileCache - Stop
TODO: Test this system on a corporate-managed device.
Q: Is a corporate-managed device able to produce the other events listed as not tested above?
Q: Do all of the !AntiMalware Start/Stop events show up correctly in the Regions-of-Interest graph/table ("AntiMalware" tab)? That is, is the Regions-of-Interest file correct in all cases?
Q. Do all of the !AntiMalware events show up in the Generic Events table ("AntiMalware" tab)?
Note that there is a filter-set on this tab:
Provider Name ... starts with ... Microsoft-Antimalware Microsoft-Windows-Sense Microsoft.Windows.Sense Microsoft-Windows-Sec Microsoft.Windows.Sec Microsoft-Windows-App OR equals... Microsoft-Windows-CodeIntegrity OR contains... Defender
Since the filter-set uses the Provider Names, this assumes that WPA is able to decode the ETW Provider GUIDs into Provider Names before filtering, even for TraceLogging providers, such as: Microsoft.Windows.Sense*
Leonid says: BTW, speaking about Defender stuff, recently I had a long discussion with Defender team on excessive CPU usage in some Office services. Defender team advised us to collect additional diagnostics with their publicly available analyzer - see
• Download the Microsoft Defender for Endpoint client analyzer - Microsoft Defender for Endpoint | Microsoft Learn • Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn • Data collection for advanced troubleshooting on Windows - Microsoft Defender for Endpoint | Microsoft Learn
Besides Defender-specific logs, this analyzer collects very detailed ETW traces with a lot of Defender-specific events. Through analyzer, they publicly expose a big set of Defender events, so it should not be a concern for MSO-Scripts project. Also, I'm wondering, if there are some additional interesting Defender events not captured yet by your scripts.
I propose to restore the Defender View Profile for WPA, including the Regions-of-Interest file: AntiMalware.regions.xml
BACKGROUND
WPR -providers | findstr Antimalware
See WPRP\Defender.wprpInternal\WPAP\Defender.wpaProfile
andAntiMalware.regions.xml
Internal
folder from the project.HOW IT WORKS
PROPOSAL