3

Our IT department requested to collect ETW data from Defender during MSBuild-driven builds. We have intermittent build failures that are evidently caused by Defender (well, its user mode service) sitting on files with exclusive access. The issue is elusive, a classical Heisenbug. And despite attempts to reproduce this while recording ETW data, I haven't had luck reproducing it after two dozen or so tries.

The instructions state to use New-MpPerformanceRecording -RecordTo <recording.etl> followed by Get-MpPerformanceReport -Path <recording.etl> .... The respective documentation from Microsoft can be found here.

Now my main gripe with the process is that New-MpPerformanceRecording requires to:

  1. Press ENTER to stop and save recording, or Ctrl+C to cancel recording.

That means I cannot script the performance recordings along with the builds and always need to attend them. It's wasting a lot of time I don't really have to keep coming back to a window to look whether or not already to press ENTER.

Question: How can I automate the process end-to-end? I am acquainted with PowerShell scripting, but how to get around this silly prompt and have it save the data is beyond me. Anything that cancels the capture means I lose the data.

PS: the issue is not about speed ("performance") as such, it's much more about performing at all, because Defender keeps failing our builds. But I get why they would want ETW or trace logging details.

Improve this question
13
  • If by "build" you mean a build of Windows, I have not had a Windows build fail because of Defender. It is well designed and built to work properly in Windows. I suggest looking at your build to see if it is doing something non-compliant.
    – anon
    Commented Dec 20, 2023 at 22:49
  • Also, it you are using a third party AV, make sure (test) that is works in harmony with Windows Defender. I stopped and my customers stopped using third party AV (Symantec Corporate in our case) at build 18xx of Windows 10. Just Defender after that.
    – anon
    Commented Dec 20, 2023 at 23:03
  • 1
    @John I mean a build of software my company offers. It's an MSBuild-based build and involves Visual Studio 2022. I don't know what you could possibly mean by "build of Windows". I'm not working at Microsoft. There's no third-party AV involved either. And please don't tell me about "well designed". Ever since Microsoft has aggressively pushed performance demands through MVI, they themselves have become sloppy with how Defender does stuff. Formally it probably fulfills their own requirements. But an AV with an FSFD has other ways than exclusively holding a file. I developed such stuff.
    – 0xC0000022L
    Commented Dec 21, 2023 at 9:21
  • 1
    I have an MSI for it and for running quick network traffic scans and then using it to export to a Wireshark compatible files, it is much easier than installing all the needed Wireshark component otherwise on a server or a client (or both) to run a network trace. If it works and makes something easier, then I consider it viable even thought it's an intermediary steps to use Wireshark for looking at packets. I'm not able to get New-MpPerformanceRecord cmdlet to help more. Is it a license M365 E5 only tool if you use Defender?
    – Vomit IT - Chunky Mess Style
    Commented Dec 23, 2023 at 21:06
  • 1
    Here you go, scan with virustotal and then your own security software before you run, this seems to be a legit one though. I will now download it and scan it myself too: github.com/riverar/messageanalyzer-archive/tree/master/releases/…... It is safe per the scan I completed: virustotal.com/gui/file/…
    – Vomit IT - Chunky Mess Style
    Commented Dec 23, 2023 at 21:12

3 Answers 3

Reset to default
2

Firstly, I'll incorporate and cite some key elements from the Description: New-MpPerformanceRecording post, which could offer valuable insights into vendor support and its implications, at the very least.

This New-MpPerformanceRecording cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS", and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.

For more information on the performance analyzer, see Performance Analyzer docs.

Additionally, I've identified a potential workaround idea per what's outlined in Example 2 of the Microsoft post's section which I'll cite and reference key points below for clarity first.

Example 2: Collect a performance recording for remote PowerShell session

$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01 
New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -Session $s

The above command collects a performance recording on Server02 (as specified by argument $s of parameter Session) and saves it to the specified path: C:\LocalPathOnServer02\trace.etl on Server02.

Parameters: New-MpPerformanceRecording

-RecordTo

Specifies the location in which to save the Microsoft Defender Antimalware performance recording.

-Session

Specifies the PSSession object in which to create and save the Microsoft Defender Antivirus performance recording. When you use this parameter the RecordTo parameter refers to the local path on the remote machine. Available with Defender platform version 4.18.2201.10

Potential Workaround

Create a remote interactive session with New-PSSession and store it in a variable (e.g. $s). Then, use the variable with the -Session parameter of New-MpPerformanceRecording

Once sufficient time has passed to collect necessary events, use Remove-PSSession along with the respective variable (e.g. Remove-PSSession $s) to end the remote session and halt the session capture operations.

PowerShell Example 1

$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01
New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -Session $s

## After enough time has passed, run this command or schedule it
Remove-PSSession $s

PowerShell Example 2

$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01

Invoke-Command -Session $s -ScriptBlock {
    New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl
}

## After enough time has passed, run this command or schedule it
Remove-PSSession $s
Improve this answer
1
  • 1
    @0xC0000022L Here are some things that seem to make sense logically to me after reading over the MS post another time and spotting the remote access potentials to help. It will be worth testing the ETL files afterwards if this works to ensure they are not corrupt. I'm not able to run these commands to test for 100% confidence, but since you are needing help, I decided to post just in case. Worse case, you tell me this is trash and I delete the post. Otherwise, it is worth the potential from my side to help you even if a workaround for more automation flexibility.
    – Vomit IT - Chunky Mess Style
    Commented Jan 4 at 22:52
0

You could try something like this:

# Define the path for recording.etl
$etlPath = "C:\Path\To\Your\Recording.etl"

# Start the performance recording
New-MpPerformanceRecording -RecordTo $etlPath

# Sleep to allow time for the recording to capture data (adjust as needed)
Start-Sleep -Seconds 60

# Stop the performance recording
Stop-MpPerformanceRecording
Improve this answer
0

avoid the powershell and use the native commands:

&"C:\Windows\system32\wpr.exe" -start C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ConfigDefenderPerformance\MSFT_MpPerformanceRecording.wprp!Scans.Light -filemode -instancename MSFT_MpPerformanceRecording

&"C:\Windows\system32\wpr.exe" -stop C:\temp\Defender.etl -instancename MSFT_MpPerformanceRecording
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .