02. [20p] Windows Performance Recorder & Analyzer

For this task we will use Logs.exe and GoodLog.exe inside the Task-02 folder.

We want to capture the activity of both Logs.exe and GoodLog.exe. To do this we will start WPR and record an execution of Logs.exe and GoodLog.exe afterwards. We will then analyze the results using WPA, concentrating on the Disk activity and compare the results with Task Manager.

:!: To do this you can follow the steps below or the video.

  1. Open Windows Performance Recorder by searching for it in the search bar
  2. Click “More Options” and choose the following from Resource Analysis: CPU usage, Disk I/O activity, File I/O activity, Registry I/O activity, Networking I/O activity, Heap usage, Pool usage, and VirtualAlloc usage
  3. Using Command Prompt, navigate to the folders where the Logs/GoodLog executables are located
  4. Start the recording and run GoodLog & Logs afterwards
  5. Save the recording and open it with WPA
  6. Double click on Storage to analyze the storage operations
  7. Click on Utilization by Disk on the upper-left corner and select: Utilization by Process, Path Name, and Stack
  8. Run the executables again, this time observing them inside Task Manager

Can you guess why there is disk activity, but WPA does not show it?

Click to display ⇲

Click to hide ⇱

The way Windows Performance Recorder records activity is based on events generated by the Windows kernel. It registers to track the events, listens to them, and during the recording period it constantly samples which process uses which resource at the time of sampling. It sums up the number of times that a process was caught doing something.

In our case, the two processes want to write to the disk, but they are not the ones that get to do the actual writing. They tell the system that they want to write, and the System process schedules the writing.

The reason for this is targeting a more efficient disk writing, as the System process is trying to minimize the impact to the disk. This is why our process's writing is passed over to the System process.