Home
  •  

Windows 10 and above Aggregate Shell Performance Root File Collection

Microsoft.Windows.Client.Win10.Computer.ShellPerfRootFile.Collection (Rule)

Knowledge Base article:

Summary

This rule collects events that detail the root causes of performance issues that have been detected by Windows 10 and above

Causes

File access is one of the root causes

Element properties:

TargetMicrosoft.Windows.Client.Win10.Aggregate.Computer
CategoryEventCollection
EnabledTrue
Event_ID405
Event SourceMicrosoft-Windows-Diagnostics-Performance
Alert GenerateFalse
RemotableTrue
Event LogMicrosoft-Windows-Diagnostics-Performance/Operational

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider System.PrivilegedMonitoringAccount
PublishToShellPerfRootCauseChannel WriteAction Microsoft.Windows.Client.Win10.Computer.PublishBaseData Default

Source Code:

<Rule ID="Microsoft.Windows.Client.Win10.Computer.ShellPerfRootFile.Collection" Enabled="true" Target="Microsoft.Windows.Client.Win10.Aggregate.Computer" DiscardLevel="100" ConfirmDelivery="true" Remotable="true" Priority="Normal">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" RunAs="System!System.PrivilegedMonitoringAccount" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

      <LogName>Microsoft-Windows-Diagnostics-Performance/Operational</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Microsoft-Windows-Diagnostics-Performance</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>405</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="PublishToShellPerfRootCauseChannel" TypeID="Microsoft.Windows.Client.Win10.Computer.PublishBaseData">

      <ChannelId>8B3FF0E0-614B-4A62-89FF-06D6FB1CD4BF</ChannelId>

    </WriteAction>

  </WriteActions>

</Rule>