Windows

Overview
The Windows Performance scan collects config uration, utilization and performance information from Windows systems. It relies
on Windows WMI for config uration information, collects installed software via a windows reg istry lookup, and the Windows
perfmon service to collect the performance data. The overhead of collection is the same as enabling Windows perfmon, the
Scanner periodically retrieves the performance statistics from the targ et system(s).

By default, the Windows Performance scan will be run over a 24 hour period, collecting data in bursts once every 5 minutes. The
runtime and collection interval are config urable from within Scanner.

Requirements
The system running Mitrend Scanner requires:

Windows Vista / Windows Server 2008 or later.

Microsoft .NET 4.5 Download Installer Here.

Supported Systems
Must be on the same domain as the system running Mitrend Scanner.
Mitrend Scanner requires Administrator Credentials when scanning the local host.
Admin Credentials are required to allow Scanner to:
Access the local reg istry to retrieve Performance Counter definitions
Generate Performance Collection data
Mitrend Scanner may need to be run as an Administrator when targ eting older Windows systems.
Non-eng lish targ et support is currently in beta; reports g eneration is currently in developement and may take long er than
usual to g enerate a report.

Instructions
1. Download the latest version of the Mitrend Scanner application.
2. Select Windows and then Windows scan type.
3. Click BEGIN SCAN.
4. Choose between a Configuration or Configuration & Performance scan.
Click OPTIONS to config ure the Configuration & Performance duration and collection interval

5. Using any of the following methods, populate a list of hosts to scan.

Click ACTIVE DIRECTORY DISCOVERY to enter a targ et domain and associated domain administrator credentials,
then click SCAN to automatically add each machine on that domain.
Click ADD REMOTE SERVER to provide a list of host names.
Click ADD LOCALHOST to add the local machine.

6. Ensure that each machine you wish to scan on is selected on the rig ht hand side of the application, then click NEXT.
7. Click NEXT to start the Performance Collection scan.
8. Once the scan completes, review the Failure and Complete tabs as needed, then click CONTINUE.
9. Upload the scan results, or click EXPORT DATA to save the results and manually upload at a later time.
A. Enter your Mitrend Upload Token.
B. Provide a name for the assessment.
C. Click UPLOAD DATA.
Troubleshooting
Manually Stop a Running Counter Set
In order to manually stop performance collection after a failed or crashed Mitrend Scanner, follow these steps:

1. On the targ et machine, open Performance Monitoring Tool:

Enter "Performance Monitor" into the Windows Search bar. Click on the "Performance Monitor" line item with the
symbol of a stopwatch next to it.

2. Navig ate to the Counter Sets:

In the Performance Monitoring tool, locate the directory tree on the left side, with "Performance" at the root.
Expand the "Data Collector Sets" item in the directory tree by clicking the small arrow next to it
Click on the "User Defined" item underneath the "Data Collector Sets" item
A list of Performance Counters should appear on the rig ht side of the Performance Monitoring Tool

3. From the list of Performance Counter, for each counter with "MITREND" in its name:
If the Counter symbol has a small g reen arrow on it, Rig ht-click the counter and select "Stop"
If the Performance Monitoring Tool navig ates to a different screen once the counter has stopped, follow the
steps above under "Navig ate to the Counter Sets" to return to the correct screen.
Rig ht-click the counter and select "Delete"

4. In order to submit the results for assessment, continue onto Manual Collection.

Manual Collection
In order to manually collect files after a failed or crashed Mitrend Scanner follow these steps:

1. Locate OutputDirectory:
Launch Mitrend Scanner if it isn't already running .
Click the "HELP" button at the bottom of window.
Click the "Open Output Directory" button.

2. Locate Scan Directory:

Open the scan output directory. The directory is named using a g enerated, numeric string (e.g .
635978529689213763), so you’ll need to identify the correct directory based on timestamps that correspond to
the time of the scan in question.

3. Locate CSV files on targ et hosts

Open the Mitrend output directory on the targ et hosts. By default scan output files are stored in
C:\PerfLog s\Admin on the Targ et Machine. Inside this directory, the collection CSV (Windows will identify the type
as "Performance Monitor File") is named using a g enerated string , so you’ll need to identify it by the timestamp
that most closely matches the beg inning of your scan.

4. Copy CSV files onto local host

Add all of the collected CSV files into one of the “SERVER_PERFORMANCE_Task_X directories inside the Scan
directory identified in step 2.

5. Zip up the Scan directory identified in step 2.

6. Upload the zipped directory at mitrend.com/#upload

Mitrend Scanner Connection Errors

ATTEMPT TO CONNECT

In some instances, Scanner will be unable to connect to a targ et computer. This can be caused by a variety of different issues.
Running the following commands will help diag nose the issue.

Open a Powershell instance, enter the following command and enter your credentials into the window which appears:
 $session = New-PSSession -ComputerName <TargetHostname> -Credential Get-Credential

If the above command fails, look for the specific error messag e below for further information.

PSSESSION CREATE ERRORS

1. "The Computer is unknown to Kerberos"

This error indicates Scanner was not able to find the targ et machine. The hostname needs to be on the same
domain and reachable over the network. Verify you entered the correct hostname.

2. "There are currently no log on servers available to service the log on request."
This error indicates that either the Targ et Machine rejected the provided credentials or the Client machine and
Host machine are on different domains. Verify that the credentials are entered correctly, are permitted access to
the targ et machine and that the Client machine and the Targ et machine are on the same domain.

3. "WinRM service timed out while waiting for a response."

The targ et machine may not be config ured to accept remote connections. The targ et machine needs to have
both remote connections and firewall exception for the WinRM service enabled to permit access from the Client
Machine. For more info on this issue, see Microsoft's article HERE

Powershell Permission Errors

In a Powershell instance enter the following command:

NOTE: Mitrend hig hly recommends contacting your System Administrator prior to executing the following command, as it
will be modifying your current Powershell sessions security setting s.
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

If the above command fails it can be due to one or more issues:

1. The error "Access to the reg istry key is denied." indicates that the account you are using does not have sufficient
privileg es to modify the Powershell Execution Policy.

2. Close the powershell instance. Start a new Powershell instance via Rig ht Click -> "Run as Administrator". You will need to
enter Administrator credentials.

3. The error "Windows Powershell updated your execution policy successfully, but the setting is overridden by a policy
defined at a more specific scope." indicates that your Domain Administrator has a g roup policy in place which dictates
Powershell Execution Policy

4. The local policy chang e is being overridden by a Group Policy. Contact your System Administrator for further steps and
information.

Mitrend Performance Counter Translation Errors

In some cases Scanner is unable to build a full translation list for the performance counters on a targ et computer. This is most
often due to disabled, incomplete, or corrupted performance counter definitions. Performance counters are defined in the
HKEY_LOCAL_MACHINE portion of the targ et's reg istry.

NOTE: Modifying or updating your reg istry requires administrative permissions and may have unexpected results if
interrupted or terminated abnormally. Mitrend HIGHLY recommends contacting your System Administrator or IT
Department prior to taking any steps to correct this issue.

Instructions for enabling and/or rebuilding that portion of your reg istry can be found in this Microsoft Support article.

Help and Support

If you have any difficulties or questions, contact us at [email protected].
Summary of Collection
The scan first collects config uration data with WMI queries and then uses Log man to collect performance data in a CSV format. If
the scan is canceled then Mitrend Scanner stops the collection job and retrieves the collection data so far. This will result in partial
reports for cancelled jobs.

In the event that the targ et machine experiences a reboot, Scanner will attempt to re-establish connection for 10 minutes. If
Scanner is able to establish a connection then the collection will automatically resume, otherwise it will fail the scan.

The following patterns are used to determine the counters collected:

\\Log icalDisk(*)\
\\PhysicalDisk(*)\
\\Hyper-V Virtual Machine Health Summary\Health Critical
\\Hyper-V Virtual Machine Health Summary\Health Ok
\\SMB Client Shares(*)\
\\Cluster Shared Volumes(*)\
\\Cluster CSV Block Redirection(*)\
\\Cluster CSV Volume Cache(*)\
\\Cluster CSV Volume Manag er(*)\
\\Cluster CSV Volume Coordinator(*)\
\\Cluster CSV File System(*)\
\\Hyper-V Replica VM(*)\
\\MSExchang e Replication(*)\Continuous replication - block mode Active
\\HTTP Service Url Groups(*)\AllRequests
\\HTTP Service Url Groups(*)\HeadRequests
\\HTTP Service Url Groups(*)\GetRequests
\\HTTP Service Url Groups(*)\ConnectionAttempts
\\HTTP Service Url Groups(*)\MaxConnections
\\HTTP Service Url Groups(*)\CurrentConnections
\\HTTP Service Url Groups(*)\BytesTransferredRate
\\HTTP Service Url Groups(*)\BytesReceivedRate
\\HTTP Service Url Groups(*)\BytesSentRate
\\HTTP Service Request Queues(*)\CacheHitRate
\\HTTP Service Request Queues(*)\RejectedRequests
\\HTTP Service Request Queues(*)\RejectionRate
\\HTTP Service Request Queues(*)\ArrivalRate
\\HTTP Service Request Queues(*)\MaxQueueItemAg e
\\HTTP Service Request Queues(*)\CurrentQueueSize
\\ServiceModelService ..0.0.0(*)\Percent Of Max Concurrent Sessions
\\ServiceModelService 4.0.0.0(*)\Percent Of Max Concurrent Instances
\\ServiceModelService 4.0.0.0(*)\Percent Of Max Concurrent Calls
\\ServiceModelService 4.0.0.0(*)\Calls Duration
\\ServiceModelService 4.0.0.0(*)\Calls Faulted Per Second
\\ServiceModelService 4.0.0.0(*)\Calls Faulted
\\ServiceModelService 4.0.0.0(*)\Calls Failed Per Second
\\ServiceModelService 4.0.0.0(*)\Calls Failed
\\ServiceModelService 4.0.0.0(*)\Calls Outstanding
\\ServiceModelService 4.0.0.0(*)\Calls Per Second
\\ServiceModelService 4.0.0.0(*)\Calls
\\IPHTTPS Global(*)\Errors - Authentication Errors
\\IPsec Driver\Packets That Failed Replay Detection/sec
\\IPsec Driver\Incorrect SPI Packets/sec
\\IPsec AuthIP IPv6\Failed Main Mode Neg otiations/sec
\\IPsec AuthIP IPv6\Failed Main Mode Neg otiations
\\.NET CLR Memory(*)\% Time in GC
\\.NET CLR Memory(*)\# Bytes in all Heaps
\\.NET CLR Exceptions(*)\# of Exceps Thrown / sec
\\.NET CLR Loading (*)\Current appdomains
\\Database(*)\Log Threads Waiting
\\Database(*)\Log Writes/sec
\\Database(*)\Log Record Stalls/sec
\\Database(*)\Database Pag e Fault Stalls/sec
\\Database(*)\Database Cache Size (MB)
\\Database(*)\Database Cache Size
\\Database(*)\Database Cache Size Effective (MB)
\\Database(*)\Database Cache Size Effective
\\Database(*)\Database Cache Size Resident
\\Database(*)\Database Cache Size Resident (MB)
\\Database ==> Instances(*)\Log Generation Checkpoint Depth
\\Database ==> Instances(*)\Log Generation Checkpoint Depth Targ et
\\Database ==> Instances(*)\Log Generation Checkpoint Depth Max
\\SQLServer:Buffer Manag er\Buffer cache hit ratio
\\SQLServer:Buffer Manag er\Pag e lookups/sec
\\SQLServer:Buffer Manag er\Free list stalls/sec
\\SQLServer:Buffer Manag er\Lazy writes/sec
\\SQLServer:Buffer Manag er\Readahead pag es/sec
\\SQLServer:Buffer Manag er\Pag e reads/sec
\\SQLServer:Buffer Manag er\Pag e writes/sec
\\SQLServer:Buffer Manag er\Checkpoint pag es/sec
\\SQLServer:Buffer Manag er\Pag e life expectancy
\\SQLServer:Buffer Node(*)\Pag e life expectancy
\\SQLServer:General Statistics\Log ins/sec
\\SQLServer:General Statistics\Log outs/sec
\\SQLServer:General Statistics\User Connections
\\SQLServer:Locks(*)\Lock Requests/sec
\\SQLServer:Locks(*)\Lock Timeouts/sec
\\SQLServer:Locks(*)\Number of Deadlocks/sec
\\SQLServer:Locks(*)\Lock Waits/sec
\\SQLServer:Locks(*)\Lock Wait Time (ms)
\\SQLServer:Locks(*)\Averag e Wait Time (ms)
\\SQLServer:Databases(*)\Data File(s) Size (KB)
\\SQLServer:Databases(*)\Log File(s) Size (KB)
\\SQLServer:Databases(*)\Log File(s) Used Size (KB)
\\SQLServer:Databases(*)\Percent Log Used
\\SQLServer:Databases(*)\Active Transactions
\\SQLServer:Databases(*)\Transactions/sec
\\SQLServer:Databases(*)\Log Flushes/sec
\\SQLServer:Databases(*)\Log Bytes Flushed/sec
\\SQLServer:Databases(*)\Log Flush Waits/sec
\\SQLServer:Databases(*)\Log Flush Wait Time
\\SQLServer:Databases(*)\Log Truncations
\\SQLServer:Databases(*)\Log Growths
\\SQLServer:Databases(*)\Log Shrinks
\\SQLServer:Databases(*)\Tracked transactions/sec
\\SQLServer:Databases(*)\Write Transactions/sec
\\SQLServer:Latches\Latch Waits/sec
\\SQLServer:Latches\Total Latch Wait Time (ms)
\\SQLServer:Access Methods\Full Scans/sec
\\SQLServer:Access Methods\Scan Point Revalidations/sec
\\SQLServer:Access Methods\Workfiles Created/sec
\\SQLServer:Access Methods\Worktables Created/sec
\\SQLServer:Access Methods\Worktables From Cache Ratio
\\SQLServer:Access Methods\Forwarded Records/sec
\\SQLServer:Access Methods\Index Searches/sec
\\SQLServer:Access Methods\FreeSpace Scans/sec
\\SQLServer:Access Methods\Pag e Splits/sec
\\SQLServer:Access Methods\Table Lock Escalations/sec
\\SQLServer:SQL Errors(*)\Errors/sec
\\SQLServer:SQL Statistics\Batch Requests/sec
\\SQLServer:SQL Statistics\Auto-Param Attempts/sec
\\SQLServer:SQL Statistics\Failed Auto-Params/sec
\\SQLServer:SQL Statistics\Safe Auto-Params/sec
\\SQLServer:SQL Statistics\Unsafe Auto-Params/sec
\\SQLServer:SQL Statistics\SQL Compilations/sec
\\SQLServer:SQL Statistics\SQL Re-Compilations/sec
\\SQLServer:SQL Statistics\SQL Attention rate
\\SQLServer:Plan Cache(*)\Cache Hit Ratio
\\SQLServer:Memory Manag er\Granted Workspace Memory (KB)
\\SQLServer:Memory Manag er\Maximum Workspace Memory (KB)
\\SQLServer:Memory Manag er\Memory Grants Outstanding
\\SQLServer:Memory Manag er\Memory Grants Pending
\\SQLServer:Memory Manag er\Total Server Memory (KB)
\\SQLServer:Transactions\Snapshot Transactions
\\SQLServer:Transactions\NonSnapshot Version Transactions
\\SQLServer:Transactions\Long est Transaction Running Time
\\SQLServer:Transactions\Free Space in tempdb (KB)
\\SQLServer:Transactions\Version Generation rate (KB/s)
\\SQLServer:Transactions\Version Cleanup rate (KB/s)
\\SQLServer:Deprecated Features(*)\Usag e
\\SQLServer:Workload Group Stats(*)\CPU usag e %
\\SQLServer:Workload Group Stats(*)\Queued requests
\\SQLServer:Workload Group Stats(*)\Requests completed/sec
\\SQLServer:Resource Pool Stats(*)\CPU usag e %
\\SQLServer:Resource Pool Stats(*)\Max memory (KB)
\\SQLServer:Resource Pool Stats(*)\Used memory (KB)
\\SQLServer:Resource Pool Stats(*)\Targ et memory (KB)
\\Server\Server Sessions
\\Server\Pool Nonpag ed Failures
\\Server\Pool Pag ed Failures
\\Cache\Lazy Write Flushes/sec
\\Cache\Dirty Pag es
\\Processor(*)\
\\Memory\
\\Pag ing File(*)\% Usag e
\\Pag ing File(*)\% Usag e Peak
\\System\
\\Process(*)\
\\ReportServer:Service\Errors/sec
\\ReportServer:Service\Errors Total
\\ReportServer:Service\Memory Pressure State
\\ReportServer:Service\Memory Shrink Notifications/sec
\\ReportServer:Service\Memory Shrink Amount
\\Network Interface(*)\Bytes Total/sec
\\Network Interface(*)\Packets/sec
\\Network Interface(*)\Packets Received/sec
\\Network Interface(*)\Packets Sent/sec
\\Network Interface(*)\Current Bandwidth
\\Network Interface(*)\Bytes Received/sec
\\Network Interface(*)\Bytes Sent/sec
\\Network Interface(*)\Packets Outbound Errors
\\Network Interface(*)\Output Queue Leng th
\\IPv4\Datag rams/sec
\\TCPv4\Connections Established
\\TCPv4\Connection Failures
\\TCPv4\Connections Reset
\\TCPv4\Seg ments Received/sec
\\IPv6\Datag rams/sec
\\TCPv6\Connections Established
\\TCPv6\Connection Failures
\\TCPv6\Connections Reset
\\TCPv6\Seg ments Received/sec
% Processor