Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ep:labs:08 [2020/11/23 15:39]
adriana.cogean
ep:labs:08 [2020/12/02 18:12] (current)
radu.mantu [Lab 08 - I/O Monitoring (Windows)]
Line 1: Line 1:
 ====== Lab 08 - I/O Monitoring (Windows) ====== ====== Lab 08 - I/O Monitoring (Windows) ======
 +
 +<note important>​
 +
 +You can download the **Windows 10 VM** via {{:​ep:​labs:​ep_win10_vm.7z.torrent.txt}}.
 +DokuWiki is not configured to accept //​.torrent//​ files so remove the //.txt// extension.
 +After that, you know what to do...
 +
 +Alternatively,​ you can install the following on your own Windows machine:
 +  * **[[https://​go.microsoft.com/​fwlink/?​linkid=2120254 | ADK]]** - make sure to check //**Windows Performance Analyser**//​ and //**Windows Performance Recorder**//​.
 +  * **[[https://​visualstudio.microsoft.com/​downloads/​ | Visual Studio Community Edition]]** - select //C++ development//​. ​
 +  * **[[https://​docs.microsoft.com/​en-us/​sysinternals/​downloads/​sysinternals-suite | Sysinternals suite]]**
 +
 +</​note>​
 +
  
 ===== Objectives ===== ===== Objectives =====
Line 29: Line 43:
   * The **App history tab** was first added to Windows 8, and it shows the resource consumption of metro applications. Metro applications are touch-screen-friendly applications written especially for Microsoft'​s WinRT programming interfaces.   * The **App history tab** was first added to Windows 8, and it shows the resource consumption of metro applications. Metro applications are touch-screen-friendly applications written especially for Microsoft'​s WinRT programming interfaces.
   * The **Start-up tab** shows all the applications that start at start-up, (or at least in Microsoft'​s vision - this will be further detailed in the Autoruns section), and their impact on the boot time. It is helpful to check this tab in case your computer takes a long to to start up.   * The **Start-up tab** shows all the applications that start at start-up, (or at least in Microsoft'​s vision - this will be further detailed in the Autoruns section), and their impact on the boot time. It is helpful to check this tab in case your computer takes a long to to start up.
-  * **Users tab** shows the resource consumption of every logged in user. The screenshot below shows that there is only one user logged in+  * **Users tab** shows the resource consumption of every logged in user.  
-  * **Details tab** shows details for each process - pid, status, the user under which it runs. Right-clicking the column headers bar, offers the possibility to add or remove columns. ​In the screenshot presented below the following columns ​were added: Handles, Threads, Image Path Name and Command Line. These new columns ​are very useful: the first one (Handles) when investigating a handle leak, the second one (Threads) in the case of investigating processes that create too many threads, the third one (Image Path Name) to find out the path from where the process was started, and the last one (Command Line) to find out the parameters with which it was started. +  * **Details tab** shows details for each process - pid, status, the user under which it runs. Right-clicking the column headers bar, offers the possibility to add or remove columns. ​The following columns: Handles, Threads, Image Path Name and Command Line are very useful: the first one (Handles) when investigating a handle leak, the second one (Threads) in the case of investigating processes that create too many threads, the third one (Image Path Name) to find out the path from where the process was started, and the last one (Command Line) to find out the parameters with which it was started.
   * **Services tab** shows the service status. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes.   * **Services tab** shows the service status. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes.
  
Line 42: Line 56:
 </​note>​ </​note>​
  
-- TODOinsert video here+Here [[https://​drive.google.com/​file/​d/​1z1J6lgoYfBOZF7acEzR8gEq1MH1OZgaf/​view]] you have a visual representation of the previous mentioned steps.
  
 == 01. [20p] Task Manager == == 01. [20p] Task Manager ==
Line 65: Line 79:
   * Next, sort the listings by I/O Read bytes and see which application is generating the maximum I/O (in bytes/sec). Similarly, sort by I/O Write bytes to see which program is writing to the hard disk continuously.   * Next, sort the listings by I/O Read bytes and see which application is generating the maximum I/O (in bytes/sec). Similarly, sort by I/O Write bytes to see which program is writing to the hard disk continuously.
   * Once you identify the program, decide if you need the program or not. Leave it as it is if the I/O operations are justified. Else, remove the program or consult its documentation to tweak the settings if any. For instance, one of your browser extensions may cause high disk or CPU usage. You need to isolate the extension, add-on or the browser’s feature causing the trouble.   * Once you identify the program, decide if you need the program or not. Leave it as it is if the I/O operations are justified. Else, remove the program or consult its documentation to tweak the settings if any. For instance, one of your browser extensions may cause high disk or CPU usage. You need to isolate the extension, add-on or the browser’s feature causing the trouble.
 +
 +===== Windows Performance Recorder =====
 +
 +<note warning>
 +Datafile: Logs.exe and GoodLog.exe
 +</​note>​
 +
 +Installing Windows ADK will install Windows Performance Recorder. Check by clicking the windows button and typing “windows performance recorder”.
 +
 +Start **Windows Performance Recorder** by pressing Enter. You will see the following:
 +
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_wpr-record.jpg?​400|}}  ​
 +</​spoiler> ​  
 +    ​
 +Click the **More options** button to get the list shown in the screenshot right below.
 + 
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_wpr-select.jpg?​400|}}  ​
 +</​spoiler> ​   ​
 +
 +Make sure that you select the same check boxes as in the screenshot, but do not click start just yet. Create a new directory and copy the **Logs.exe** and **GoodLog.exe** files into this directory. The behaviour of these two executables is similar to logging applications that write logs to the disk. Open a terminal and change the path to the directory where you copied the files. ​
 + 
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_badlogs.jpg?​400|}}  ​
 +</​spoiler>  ​
 +
 +Start **Windows Performance Recorder** and right after run GoodLog.exe and then Logs.exe. Once the two applications finish running, click the Save button in Windows Performance Recorder.
 +
 +<​spoiler>​
 + ​{{:​ep:​laboratoare:​ep4_goodlogs.jpg?​400|}} ​
 +</​spoiler> ​     ​
 +
 +
 +After the capture is saved, the Open option will become available in **Windows Performance Analyzer**. When clicking the Open button it should open a window such as the one below. ​
 +
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_wpa-cpu1.jpg?​400|}}  ​
 +</​spoiler>​
 +     
 +Double clicking on Storage should display the following window. Analyse the resources.
 +
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_wpa-cpu2.jpg?​400|}}  ​
 +</​spoiler> ​      
 +
 +In the upper-left corner of the newly opened window it can select Disk Usage, Utilization by Disk. Click on Utilization by Disk and select: Utilization by Process, Path Name, and Stack. This will generate the following output. ​
 +
 +<​spoiler>​
 + ​{{:​ep:​laboratoare:​ep4_wpa-cpu3.jpg?​400|}}  ​
 +</​spoiler> ​    
 +
 +The graph looks interesting in Task Manager. Processes can be selected for observing their activity on the disk. It can be noticed that our processes are not shown. Run Logs.exe again while keeping Task Manager on. 
 +
 +<​spoiler>​
 +{{:​ep:​laboratoare:​ep4_logstaskmanagerdisk.jpg?​400|}}  ​
 +</​spoiler> ​   ​
 +
 +
 +**Conclusions:​**
 +
 +  * This shows that there is activity on the disk. The question is why doesn'​t Windows Performance Analyzer show it. The way Windows Performance Recorder records activity is based on events generated by the Windows kernel. It registers to track the events, listens to them, and during the recording period it constantly samples which process uses which resource at the time of sampling.
 +  * It sums up the number of time that a process was caught doing something. In our case, the two processes want to write to the disk, but they are not the ones that get to do the actual writing. They tell the system that they want to write, and the System process schedules the writing. The reason for this is targeting a more efficient disk writing, as the System process is trying to minimise the impact to the disk. This is why our process'​s writing is passed over to the System process.
 +
 +Here [[https://​drive.google.com/​file/​d/​1DTEnxhv9Tb5TORz1RFT7-v2ojLPW5l7A/​view]] you have a visual representation as well.
 +
 +
 +== 02. [20p] WPR and WPA  ==
 +
 +  - Watch the video and go through the tutorial
  
  
Line 105: Line 189:
 | **18.** Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. This compresses the file by ~90%. Look at the graphic below. You certainly want to zip the log file before sending it to someone. || | **18.** Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. This compresses the file by ~90%. Look at the graphic below. You certainly want to zip the log file before sending it to someone. ||
  
-You can also watch the previously mentioned steps in the video below: +You can take also take a look at this video here: https://drive.google.com/file/​d/​1ZYdtOq7QsY0nfYDS3e4foPFRVPgO4Qdb/​view.
-TODO - insert ​video here +
- +
- +
- +
-===== Windows Performance Recorder ===== +
- +
-Installing Windows ADK will install Windows Performance Recorder. Check by clicking the windows button and typing “windows performance recorder”. +
- +
-^ Windows Performance Recorder ^^ +
-| Start **Windows Performance Recorder** by pressing Enter. You will see the following| {{:ep:​laboratoare:​ep4_wpr-record.jpg?400 |}}       | +
-| Click the **More options** button to get the list shown in the screenshot right below| {{:​ep:​laboratoare:​ep4_wpr-select.jpg?​400 |}}       | +
- +
-<note warning>​ +
-Datafile: Logs.exe and GoodLog.exe +
-</note> +
- +
-| Make sure that you select the same check boxes as in the screenshot, but do not click start just yet. Create a new directory and copy the **Logs.exe** and **GoodLog.exe** files into this directory. The behaviour of these two executables is similar to logging applications that write logs to the disk. Open a terminal and change the path to the directory where you copied the files. | {{{:​ep:​laboratoare:​ep4_badlogs.jpg?​400 |}}       | +
- +
-^ Windows Performance Recorder ^^ +
-| Start **Windows Performance Recorder** and right after run GoodLog.exe and then Logs.exe. Once the two applications finish running, click the Save button in Windows Performance Recorder. | {{:​ep:​laboratoare:​ep4_goodlogs.jpg?​400 |}}       | +
- +
-^ Windows Performance Analyzer ^^ +
-| After the capture is saved, the Open option will become available in Windows Performance Analyzer. When clicking the Open button it should open a window such as the one below. | {{:​ep:​laboratoare:​ep4_wpa-cpu1.jpg?​400 |}}       | +
-| Double clicking on Storage should display the following window. Analyse the resources. | {{:​ep:​laboratoare:​ep4_wpa-cpu2.jpg?​400 |}}       || +
-| In the upper-left corner of the newly opened window it can select Disk Usage, Utilization by Disk. Click on Utilization by Disk and select: Utilization by Process, Path Name, and Stack. This will generate the following output. | {{:​ep:​laboratoare:​ep4_wpa-cpu3.jpg?​400 |}}       | +
- +
-^ Task Manager ^^ +
-| The graph looks interesting. Processes can be selected for observing their activity on the disk. It can be noticed that our processes are not shown. Run Logs.exe again while keeping Task Manager on. | {{:​ep:​laboratoare:​ep4_logstaskmanagerdisk.jpg?​400 |}}       | +
-  +
-**Conclusions:​** +
- +
-  * This shows that there is activity on the disk. The question is why doesn'​t Windows Performance Analyzer show it. The way Windows Performance Recorder records activity is based on events generated by the Windows kernel. It registers to track the events, listens to them, and during the recording period it constantly samples which process uses which resource at the time of sampling. +
-  * It sums up the number of time that a process was caught doing something. In our case, the two processes want to write to the disk, but they are not the ones that get to do the actual writing. They tell the system that they want to write, and the System process schedules the writing. The reason for this is targeting a more efficient disk writing, as the System process is trying to minimise the impact to the disk. This is why our process'​s writing is passed over to the System process. +
  
  
-== 02. [30p] Process Monitor ==+== 03. [30p] Process Monitor ==
  
 <note warning> <note warning>
Line 203: Line 253:
  
  
-== 03. [30p] Process Explorer ==+== 04. [30p] Process Explorer ==
  
 :!: :!: NON-DEMO TASK  :!: :!: NON-DEMO TASK 
Line 216: Line 266:
  
  
-== 04. [10p] Feedback ==+== 05. [10p] Feedback ==
  
 :!: :!: NON-DEMO TASK  :!: :!: NON-DEMO TASK 
ep/labs/08.1606138777.txt.gz · Last modified: 2020/11/23 15:39 by adriana.cogean
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0