Distinguish which of the high number of svchost processes is affected

Question

Distinguish which of the high number of svchost processes is affected

Opened this issue 3 years ago · 4 comments

Hello,

I use PAL Reports frequently, but one thing that is really painful is the fact that if you have high CPU usage caused by one of the numerous svchost-processes, you actually only get a sequential number (i.e. svchost#42), but no further information.

It would be really helpful if PAL reports would collect the Process ID and the commandline parameters so that a user can find out which of the actual hosted services is causing a problem. Without that information, it's only guessing, or am I missing something? Could this be implemented?

Answer 1 · 2021-01-26T13:13:08.000Z

You need to enabled PIDness in perfmon to show it. It's a regedit done on the system you collect data from. https://techcommunity.microsoft.com/t5/ask-the-performance-team/perfmon-identifying-processes-by-pid-instead-of-instance/ba-p/374561

…

On Tue, Jan 26, 2021 at 4:29 AM Jackie78De ***@***.***> wrote: Hello, I use PAL Reports frequently, but one thing that is really painful is the fact that if you have high CPU usage caused by one of the numerous svchost-processes, you actually only get a sequential number (i.e. svchost#42), but no further information. It would be really helpful if PAL reports would collect the Process ID and the commandline parameters so that a user can find out which of the actual hosted services is causing a problem. Without that information, it's only guessing, or am I missing something? Could this be implemented? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#64>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACFOL6L3VWE222HT3BPEPF3S32DRLANCNFSM4WTEH3RA> .

Answer 2 · 2021-01-26T13:16:34.000Z

Sorry just noticed your command line comment. Perfmon is unable to distinguish cmdline, ergo PAL cannot distinguish it. PAL is just transforming blg/csv/tsv data into an HTML report. So we're limited by what Perfmon can see (this is why for high CPU scenarios perfmon isnt very helpful at times. What dll inside the process was high on CPU? Perfmon can't tell. What stack/function? same issue). On Tue, Jan 26, 2021 at 8:13 AM Jeff Stokes <notifications@github.com> wrote:

…

You need to enabled PIDness in perfmon to show it. It's a regedit done on the system you collect data from. https://techcommunity.microsoft.com/t5/ask-the-performance-team/perfmon-identifying-processes-by-pid-instead-of-instance/ba-p/374561 On Tue, Jan 26, 2021 at 4:29 AM Jackie78De ***@***.***> wrote: > Hello, > > I use PAL Reports frequently, but one thing that is really painful is the > fact that if you have high CPU usage caused by one of the numerous > svchost-processes, you actually only get a sequential number (i.e. > svchost#42), but no further information. > > It would be really helpful if PAL reports would collect the Process ID and > the commandline parameters so that a user can find out which of the actual > hosted services is causing a problem. Without that information, it's only > guessing, or am I missing something? Could this be implemented? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#64>, or unsubscribe > < https://github.com/notifications/unsubscribe-auth/ACFOL6L3VWE222HT3BPEPF3S32DRLANCNFSM4WTEH3RA > > . > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#64 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACFOL6NPA66YO2YR6P76AX3S325XLANCNFSM4WTEH3RA> .

Answer 3 · 2021-01-26T18:24:50.000Z

Yes, I agree that resolving the svchosts to their respective service names would be great, but unfortunately, counter logs do not contain that information. This is why I recommend using CLUE (http://github.com/clinthuffman/clue) which is my performnace data collection tool to collect the counter log, output of tasklist /svc, event logs, and ETW traces at the time of the high CPU, disk, or memory condition. CLUE is designed to be fully automatic and as low overhead as possible when collecting this data and is used frequently by Windows support teams around the world. Counter logs collected by CLUE can be analyzed by Perfmon and using the \Process(*)\ID Process, you can identify the process ID of the svchost which can be cross referenced in the tasklist output to resolve it to the service name.

Answer 4 · 2021-01-26T18:38:06.000Z

Also, the ETW trace that CLUE collects has all of the command line parameters for all of the processes.