You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-av-performance-issues-with-procmon.md
+21-24Lines changed: 21 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,21 +33,18 @@ There are two ways to capture a Process Monitor (ProcMon) trace:
33
33
34
34
### Using the MDE Client Analyzer
35
35
36
-
1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer)
36
+
1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
37
37
38
-
1. Run the MDE Client Analyzer using [Live Response or locally ](/defender-endpoint/run-analyzer-windows)
38
+
1. Run the MDE Client Analyzer using [Live Response or locally ](/defender-endpoint/run-analyzer-windows).
39
39
40
-
> [!TIP]
41
-
> Before starting the trace, please make sure that the issue is reporducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
40
+
> [!TIP]
41
+
> Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
42
42
43
43
1. Run the MDE Client Analyzer with the -c and -v switches
63
+
67
64
68
65
1. Unzip the file in `C:\temp` so that the folder path is `C:\temp\ProcessMonitor`.
69
66
70
67
1. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
71
68
72
-
> [!TIP]
73
-
> Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Taking this step helps to minimize the number of processes to check.
69
+
> [!TIP]
70
+
> Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Taking this step helps to minimize the number of processes to check.
1. After completing step 6, set filters by selecting **OK**. You can filter the results after the capture is complete.
110
107
111
-
108
+
112
109
113
110
1. To start the capture, select the magnifying glass icon again.
114
111
115
112
1. Reproduce the problem.
116
113
117
-
> [!TIP]
118
-
> Wait for the problem to be reproduced, then note the timestamp when the trace begins.
114
+
> [!TIP]
115
+
> Wait for the problem to be reproduced, then note the timestamp when the trace begins.
119
116
120
117
1. After capturing two to four minutes of process activity during high CPU usage, stop the capture by clicking the magnifying glass icon.
121
118
122
-
2. To save the capture with a unique name in the `.pml` format, go to **File** then click **Save...**. Ensure you select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
119
+
1. To save the capture with a unique name in the `.pml` format, go to **File** then click **Save...**. Ensure you select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
123
120
124
-
121
+
125
122
126
123
1. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where:
127
124
128
-
- `%ComputerName%` is the device name
129
-
- `MMDDYEAR` is the month, day, and year
130
-
- `Repro_of_issue` is the name of the issue you're trying to reproduce
125
+
- `%ComputerName%` is the device name
126
+
- `MMDDYEAR` is the month, day, and year
127
+
- `Repro_of_issue` is the name of the issue you're trying to reproduce
131
128
132
-
> [!TIP]
133
-
> If you have a working system, you might want to get a sample log to compare.
129
+
> [!TIP]
130
+
> If you have a working system, you might want to get a sample log to compare.
134
131
135
-
1. Zip the `.pml` file and submit it to Microsoft support.
132
+
1. Zip the `.pml` file and submit it to Microsoft Support.
0 commit comments