Skip to main content

Measuring Disk Performance

Cameron Granger
  • Updated

The Huntress application is a lightweight endpoint agent that performs the collection of metadata regarding persistent footholds on a workstation, calculates file hashes, and transports the results to our data center. The agent uses less than 1% of CPU and 20MB of RAM at idle. The agent conducts surveys of this information every 15 minutes and does not compete for real time disk access with other security products such as antivirus. On rare occasions we receive reports the Huntress agent is causing a performance issue with a system, but upon further investigation it's usually discovered another application or service is adversely interacting with the agent causing the reported symptoms. This support article will show you how to collect disk performance data using the Windows Performance Toolkit (part of the Windows Assessment and Deployment Kit or ADK) and send it to Huntress support for further diagnosis. It is not necessary to perform any of these steps unless requested to do so by Huntress support.

Overview/Summary

  1. Download the appropriate Windows ADK version
  2. Download the diskiotrace.bat from Huntress
  3. Install the Windows Performance Toolkit
  4. Configure the diskiotrace.bat for your system
  5. Run a trace and submit the data to Huntress for review

1. Download the appropriate Windows ADK Version

  1. The Windows 10 ADK (for Windows 10, Server 2016, Server 2019) download can be found here. For older versions of Windows, use the Windows 8.1 ADK here

3. Install the Windows Performance Toolkit

  1. Run the adksetup.exe file that was downloaded in part 1. 
  2. Choose Install to this computermceclip0.png
  3. Choose whether you want to send anonymous data to Microsoft and click Next. mceclip1.png
  4. Read and accept the license agreement.mceclip2.png
  5. Uncheck all of the options except the Windows Performance Toolkitmceclip3.png
  6. Once the install is complete, you should see the below screen, click Close. mceclip4.png

4. Configure the diskiotrace.bat for your system

  1. There is only one option to configure in the diskiotrace.bat. It's the storage location of the trace files from xperf. This can be specified on line 41 as shown below:mceclip5.pngNote: The default location is C:\xperf and the script will attempt to create the folder if it doesn't exist.

5. Run a trace and submit the data to Huntress for review

  1. Open a command prompt as Administrator and change to the directory you've installed the diskiotrace.bat file in. mceclip6.pngNOTE: Verify the default output path is as expected by just running diskiotrace.bat with no arguments. 
  2. Start a disk performance trace by running "diskiotrace.bat start". mceclip7.pngWARNING: The data collected by xperf is massive and a trace shouldn't be run longer than 5-10 minutes. If longer times are required the "diskiotrace.bat recycle" command should be run every 5-10 minutes to ensure a single log file is still manageable in size. 
  3. After 5-10 minutes run the command "diskiotrace.bat stop" to end the logging.mceclip8.png
  4. Select both the folder generated by xperf and the log.txt file from the output folder, right-click, and choose Send to -> Compressed (zipped) folder.mceclip9.pngmceclip10.png
  5. Submit the newly created zip file to Huntress technical support for analysis. mceclip11.png

OPTIONAL: Review the data using the Windows Performance Analyzer

  1. If you wish to review the data collected by the Windows Performance Toolkit, you can double click the ETL file that is present in the folder created in the previous step.mceclip12.pngNOTE: If you want to review the data on a different machine than which it was collected, just install the Windows Performance Toolkit on the machine you wish to use and the ETL file will be readable. 
  2. The data will open in the Windows Performance Analyzer application. You will need to expand the Storage and Disk Usage sections. Then drag the data you wish to see to the right pane.mceclip13.png

NOTE: There are many metrics collected. The relevant ones will be dependent on the type of disk performance issue you are attempting to locate. Starting with IO Time by Process and Throughput by Process is common, but may not provide insight for all types of issues. The nuances of Windows Performance Analyzer are beyond the scope of this document. If you believe Huntress is causing disk IO performance issues, please contact support with the collected information for further analysis. 

Comments

0 comments

Please sign in to leave a comment.

Related articles