Home
  •  

Windows 10 and above Aggregate Boot Service Collection

Microsoft.Windows.Client.Win10.Computer.BootService.Collection (Rule)

Knowledge Base article:

Summary

This rule collects events that detail the root causes of bootup performance issues that have been detected by Windows 10 and above

Causes

Service runtime is one of the root causes of the degradation

Element properties:

TargetMicrosoft.Windows.Client.Win10.Aggregate.Computer
CategoryEventCollection
EnabledTrue
Event_ID103
Event SourceMicrosoft-Windows-Diagnostics-Performance
Alert GenerateFalse
RemotableTrue
Event LogMicrosoft-Windows-Diagnostics-Performance/Operational

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider System.PrivilegedMonitoringAccount
PublishToClientPerfRootCauseChannel WriteAction Microsoft.Windows.Client.Win10.Computer.PublishBaseData Default

Source Code:

<Rule ID="Microsoft.Windows.Client.Win10.Computer.BootService.Collection" Enabled="true" Target="Microsoft.Windows.Client.Win10.Aggregate.Computer" DiscardLevel="100" ConfirmDelivery="true" Remotable="true" Priority="Normal">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" RunAs="System!System.PrivilegedMonitoringAccount" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

      <LogName>Microsoft-Windows-Diagnostics-Performance/Operational</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Microsoft-Windows-Diagnostics-Performance</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>103</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="PublishToClientPerfRootCauseChannel" TypeID="Microsoft.Windows.Client.Win10.Computer.PublishBaseData">

      <ChannelId>14A12228-E8C2-41C8-A44C-F58EC32DB67B</ChannelId>

    </WriteAction>

  </WriteActions>

</Rule>