Home
  •  

Process Monitoring: High Handle Count

Microsoft.Windows.Server.10.0.ProcessHandleCount.Alert (Rule)

This rule generates an alert when handle count increases too fast.

Knowledge Base article:

Summary

This rule generates an alert when handle count increases too fast.

Note: If the threshold for this rule differs from the corresponding threshold for the "Process Monitoring: Health State Collection" rule, it may lead to inconsistency between alerts and process health states.

To avoid generating excessive alerts, a minimal threshold for the rule was implemented. The default value for minimal threshold is 15%. The threshold can be changed to any value via the overrides for the rule in the Operations Manager console, but if it is changed to a value lower than 15%, then the effective threshold will be 15% by default.

A user can change the minimal threshold by creating MinimalHandleCountIncreaseThreshold registry DWORD (32-bit) value on the appropriate agent and under the appropriate key. The effective threshold will be equal to maximum of two values: the default/overridden threshold via the Operations Manager console and the minimal threshold set in the registry.

The following registry key is used for the minimal threshold:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules\Global\BaseOSProcessMonitoring

Element properties:

TargetMicrosoft.Windows.Server.10.0.ProcessMonitoring.ProcessSeed
CategoryCustom
EnabledFalse
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.Server.10.0.Process.HandleCountAlerting.DataSource Microsoft.Windows.Server.10.0.RunAs.CollectionRules
GenerateAlert WriteAction Microsoft.Windows.Server.10.0.GenerateAlertWriteAction Default
WA WriteAction Microsoft.Windows.Server.10.0.CloseAlertWriteAction Default

Source Code:

<Rule ID="Microsoft.Windows.Server.10.0.ProcessHandleCount.Alert" Target="Microsoft.Windows.Server.10.0.ProcessMonitoring.ProcessSeed" Enabled="false" Remotable="true" Priority="Normal" DiscardLevel="100" ConfirmDelivery="false">

  <Category>Custom</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.Windows.Server.10.0.Process.HandleCountAlerting.DataSource" RunAs="Microsoft.Windows.Server.10.0.RunAs.CollectionRules">

      <MonitoringConfiguration>$Target/Property[Type="WindowsServer!Microsoft.Windows.Server.ProcessSeed"]/ThresholdsByProcess$</MonitoringConfiguration>

      <IntervalSeconds>120</IntervalSeconds>

      <SampleCount>6</SampleCount>

      <HandleCountIncreaseThreshold>20</HandleCountIncreaseThreshold>

      <LogLevel>4</LogLevel>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="Microsoft.Windows.Server.10.0.GenerateAlertWriteAction">

      <AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.10.0.ProcessHandleCount.Alert.AlertMessage"]$</AlertMessageId>

      <Threshold>$Data/HandleCountIncreaseThreshold$</Threshold>

      <Metric>DoesHandleCountIncreaseTooFast</Metric>

    </WriteAction>

    <WriteAction ID="WA" TypeID="Microsoft.Windows.Server.10.0.CloseAlertWriteAction" Target="SCDW!Microsoft.SystemCenter.DataWarehouseConnectorServer">

      <TimeoutSeconds>300</TimeoutSeconds>

      <RuleId>$MPElement[Name="Microsoft.Windows.Server.10.0.ProcessHandleCount.Alert"]$</RuleId>

      <Metric>DoesHandleCountIncreaseTooFast</Metric>

    </WriteAction>

  </WriteActions>

</Rule>