Windows Processes Test

The Windows Processes test reports additional statistics pertaining to processes running on Microsoft Windows systems.

Target of the test : A Windows host

Agent deploying the test : An internal agent

Outputs of the test : One set of results per process pattern specified

Configurable parameters for the test
  1. TEST PERIOD - How often should the test be executed
  2. Host - The host for which the test is to be configured
  3. Port - The port to which the specified host listens
  4. Process - In the Process text box, enter a comma separated list of names:pattern pairs which identify the process(es) associated with the server being considered. processName is a string that will be used for display purposes only. processPattern is an expression of the form - *expr* or expr or *expr or expr* or *expr1*expr2*... or expr1*expr2, etc. A leading '*' signifies any number of leading characters, while a trailing '*' signifies any number of trailing characters. For example, to monitor the Word and Powerpoint applications on a system, in the PROCESS text box, enter officeProcess:*winword*,*power*, where * denotes zero or more characters.

    To save the time and effort involved in such manual process specification, eG Enterprise offers an easy-to-use auto-configure option in the form of a View/Configure button that is available next to the PROCESS text box. Refer to Section of this document o know how to use the auto-configure option.

  5. wide - On Windows environments, by default, the eG agent uses perfmon to search for the processes that match the configured patterns. Accordingly, the wide parameter is set to false by default. Typically, a process definition in Windows includes the full path to the process, the process name, and process arguments (if any). Perfmon however scans the system only for process names that match the configured patterns – in other words, the process path and arguments are ignored by perfmon. This implies that if multiple processes on a Windows host have the same name as specified against process, then perfmon will only be able to report the overall resource usage across all these processes; it will not provide any pointers to the exact process that is eroding the host’s resources. To understand this better, consider the following example. Typically, Windows represents any Java application executing on it as java.exe. Say, two Java applications are executing on a Windows host, but from different locations.

    If java.exe has been configured for monitoring, then by default, perfmon will report the availability and average resource usage of both the Java applications executing on the host. If say, one Java application goes down, then perfmon will not be able to indicate accurately which of the two Java applications is currently inaccessible.

    Therefore, to enable administrators to easily differentiate between processes with the same name, and to accurately determine which process is unavailable or resource-hungry, the eG agent should be configured to perform its process searches based on the process path and/or process arguments, and not just on the process name – in other words, the eG agent should be configured not to use perfmon.

    To achieve this, first, set the WIDE parameter to Yes. This will instruct the eG agent to not use perfmon to search for the configured process patterns. Once this is done, then, you can proceed to configure a PROCESSPATTERN that includes the process arguments and/or the process path, in addition to the process name. For instance, if both the Remote Access Connection Manager service and the Terminal Services service on a Windows host, which share the same name – svchost - are to be monitored as two different processes, then your PROCESSPATTERN specification should be as follows:

    Terminal:C:\WINDOWS\System32\svchost-k DcomLaunch,Remote:C:\WINDOWS\system32\ svchost.exe-knetsvcs

    You can also use wildcard characters, wherever required. For instance, in the above case, your PROCESSPATTERN can also be:

    Terminal:*svchost -k DcomLaunch,Remote:*svchost.exe -k netsvcs

    Similarly, to distinctly monitor two processes having the same name, but operating from different locations, your specification can be:



    • Before including process paths and/or arguments in your processpattern configuration, make sure that the wide parameter is set to true. If not, the test will not work.
    • If your processpattern configuration includes a process path that refers to the Program Files directory, then make sure that you do not  include a ~ (tilde) while specifying this directory name. For instance, your processpattern specification should not be say, Adobe:C:\Progra~1\Adobe\AcroRd32.exe
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Number of processes running:

Indicates the number of processes that are currently running.



Handle count:

Indicates the number of handles opened by the process.


An increasing trend in this measure is indicative of a memory leak in the process.

Number of threads:

Indicates the number of threads that are used by the process.



Virtual memory used:

Indicates the amount of virtual memory that is being used by the process.



I/O data rate:

Indicates the rate at which processes are reading and writing bytes in I/O operations.


This value counts all I/O activity generated by each process and includes file, network and device I/Os.

I/O data operations:

Indicates the rate at which the process is issuing read and write data to file, network and device I/O operations.



I/O read data rate:

Indicates the rate at which the process is reading data from file, network and device I/O operations.



I/O write data rate:

Indicates the rate at which the process is writing data to file, network and device I/O operations.



Page fault rate:

Indicates the total rate at which page faults are occurring for the
threads of all matching processes.


A page fault occurs when a thread refers to a virtual memory page that is not in its working set in main memory. This may not cause the page to be fetched from disk if it is on the standby list and hence already in main memory, or if it is in use by another process with
whom the page is shared.

Memory working set:

Indicates the current size of the working set of a process.


The Working Set is the set of memory pages touched recently by the threads in the process. If free memory in the computer is above a threshold, pages are left in the Working Set of a process even if they are not in use. 
When free memory falls below a threshold, pages are trimmed from Working Sets. If they are needed they will then be soft-faulted back into the Working Set before leaving main memory. If a process pattern matches multiple processes, the memory working set reported is the sum of the working sets for the processes that match the specified pattern. Detailed diagnosis for this test provides details of the individual processes and their individual working sets.

Comparing the working set across processes indicates which process(es) are taking up excessive memory.
By tracking the working set of a process over time, you can determine if the application has a memory
leak or not.