How to analyze Windows minifilter performance impact

A question was brought to me, of how can one analyze minifilter driver impact on Windows clients? For the answer, I went back to my roots. Because, with agents from security and management tools enterprises use, like AV, SCCM, Tanium, BigFix, etc, generally you don’t know what its doing at a specific time, and then reproducing that specific activity can be a bear. One thought was to make a VM, and use a checkpoint to ‘rocker’ the virtual machine back to ‘baseline’ after making a change and then collecting an ETW trace.

But in WDRAP, where I learned a lot of my Windows client troubleshooting and debugging, we always went to boot/logon time. Why? Because the experience of a bootup is generally speaking, persistent from boot to boot. Slight config changes and new tasks from management tools may modify things slightly, but that can be seen in Windows Performance Analyzer. So I had a ‘shower thought’ of hey, why not use boot up and set the autologon key so logon and boot are consistent.

Then, you can measure the impact of a minifilter driver change/modification of config against the Total IO Bytes ratioed with the minifilter delay in microseconds. So by and large you see the impact as a value of X microseconds to Y MB for each trace. Easier to compare that way.

So install the Windows ADK Windows Performance Toolkit and then configure your baseline system as you like. Then simply start a boot trace with WPRui like so:

keep in mind the point of this trace is not to dig into code, it’s to bellwether the performance impact of say, an AV agent upgrade or configuration modification.

Open WPRUI, change the Performance Scenario dropdown to “Boot” set detail level to “Light”, Logging mode will be “File” and then set Number of iterations to 2. Check The boxes for first level triage, CPU, disk IO, and mini filter.

Set autologon by grabbing the Sysinternals tool autologon. Configure it with a local account with admin rights (instructions for this are on the docs page for autologon).

Click Start in WPRUI and the trace will reboot the box, collect a trace of boot/logon, then reboot, collect the second trace of boot/logon, and then leave you with a useable desktop.

Grab the files from the \My Documents\WPA Files of the user profile with autologon enabled. Zip them, they compress really well.

Rinse and repeat for as many configuration changes as you like. How to analyze these? That’s coming in post 2, later today.


Leave a comment

Your email address will not be published. Required fields are marked *

Exit mobile version