Home
  •  

Vista Aggregate Shell Performance Root Long Driver Collection

Microsoft.Windows.Client.Vista.Computer.ShellPerfRootLongDriver.Collection (Rule)

Knowledge Base article:

Summary

This rule collects events that detail the root causes of performance issues that have been detected by Windows Vista

Causes

Driver activity is one of the root causes

Element properties:

TargetMicrosoft.Windows.Client.Vista.Aggregate.Computer
CategoryEventCollection
EnabledTrue
Event_ID404
Event SourceMicrosoft-Windows-Diagnostics-Performance
Alert GenerateFalse
RemotableTrue
Event LogMicrosoft-Windows-Diagnostics-Performance/Operational

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider System.PrivilegedMonitoringAccount
PublishToShellPerfRootCauseChannel WriteAction Microsoft.Windows.Client.Vista.Computer.PublishBaseData Default

Source Code:

<Rule ID="Microsoft.Windows.Client.Vista.Computer.ShellPerfRootLongDriver.Collection" Enabled="true" Target="Microsoft.Windows.Client.Vista.Aggregate.Computer">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" RunAs="System!System.PrivilegedMonitoringAccount" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

      <LogName>Microsoft-Windows-Diagnostics-Performance/Operational</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Microsoft-Windows-Diagnostics-Performance</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>404</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="PublishToShellPerfRootCauseChannel" TypeID="Microsoft.Windows.Client.Vista.Computer.PublishBaseData">

      <ChannelId>66775499-32DE-4C73-9B04-BA5920E83196</ChannelId>

    </WriteAction>

  </WriteActions>

</Rule>