Learn Editor: Update troubleshoot-av-performance-issues-with-wprui.md

YongRhee-MSFT · YongRhee-MSFT · commit 115d823035d6 · 2025-01-08T11:24:38.000-08:00
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -21,6 +21,12 @@ ms.custom:
 
 # Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
 
+> [!TIP]
+> First review common reasons for performance issues such as high cpu in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) which makes analyzing the reason for a high cpu in Microsoft Defender Antivirus (Antimalware Service Executable or Microsoft Defender Antivirus service or MsMpEng.exe)
+> If for any reason, the Microsoft Defender Antivirus Performance Analyzer doesn't provide with the root cause of the high cpu utilization, then, next run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to find narrow down or root cause the high cpu utilization in Microsoft Defender Antivirus.
+> And the last tool in the toolbelt is to run a Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line) discussed in this article.
+
 ## Capture performance logs using Windows Performance Recorder
 
 Windows Performance Recorder (WPR) is a powerful recording tool that creates Event Tracing for Windows recordings and allows you to include additional information in your submission to Microsoft support.
@@ -29,6 +35,33 @@ WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can b
 
 Alternatively, follow the steps in [Capture performance logs using the WPR UI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C), or use the command-line tool *wpr.exe* [Capture performance logs using the WPR CLI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C). Both are available in Windows 8 and later versions.
 
+There are two ways to capture a Windows Performance Recorder (WPRUI) trace:
+
+Using the MDE Client Analyzer
+
+Manually
+
+## Using the MDE Client Analyzer
+
+1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
+
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+
+> [!TIP]
+> Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
+
+
+
+1. Run the MDE Client Analyzer with the -a and -v switches
+
+   PowerShellCopy
+   
+   ```
+   C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
+   ```
+   
+## Manually:
+
 ### Capture performance logs using the WPR UI
 
 > [!TIP]
@@ -39,26 +72,26 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
 1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
 
    ![Screenshot showing the Start menu](media/wpr-01.png)
-
+   
 1. Select **More**. Select **Run as administrator**.
 
 1. Right-click **Yes** when the User Account Control dialog box appears.
 
    ![Screenshot showing the UAC page.](media/wpt-yes.png)
-
+   
 1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
 
 1. In the WPR dialog box, select **More options**.
 
    ![Screenshot showing the page where you can select more options](media/wpr-03.png)
-
+   
 1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
 
 1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
 
    ![Screenshot showing the in-file.](media/wpr-infile.png)
-
-   > [!WARNING]
+   
+      > [!WARNING]
    > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
    > This custom profile provides the necessary context for in-depth performance analysis.
 
@@ -80,11 +113,11 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
 1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
 
    ![Screenshot showing the Hide options.](media/wpr-08.png)
-
+   
 1. Select **Start**.
 
    ![Screenshot showing the Record system information page.](media/wpr-09.png)
-
+   
 1. Reproduce the issue.
 
    > [!TIP]
@@ -93,25 +126,25 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
 1. Select **Save**.
 
    ![Screenshot showing the Save option.](media/wpr-10.png)
-
+   
 1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
 
    ![Screenshot showing the pane in which you fill.](media/wpr-12.png)
-
+   
 1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
 
-   1. Select **Save**.
+1. Select **Save**.
 
    ![Screenshot showing the WPR gathering general trace.](media/wpr-13.png)
-
+   
 1. After the trace has been merged and saved, right-click **Open folder**.
 
    ![Screenshot that displays the notification that WPR trace has been saved.](media/wpr-14.png)
-
-   Include both the file and the folder in your submission to Microsoft Support.
+   
+      Include both the file and the folder in your submission to Microsoft Support.
 
    ![Screenshot showing the details of the file and the folder.](media/wpr-15.png)
-
+   
 ### Capture performance logs using the WPR CLI
 
 To collect a WPR trace using the command-line tool wpr.exe:
