Defender AV Performance Analyzing Using Powershell
Updated: Jul 8, 2022
Hello, Everyone! So in this blog, I will explain how to use Powershell to run a performance analyzer for Microsoft Defender Antivirus. In my previous blog, I explained how to use Procmon for Performance analysis.
Microsoft defender AV provides always-on, real-time protection and on-demand scans on files to protect them from any malicious entries, sometimes the scans take a while especially I had seen when developers build their code defender AV will scan all the activities which will slow down the system performance and it might take longer for them to complete the build, in these cases performance analyzer tools will help us to identify the defender AV scanning activities and will help to define some exclusions which will improve the performance.
Microsoft had provided this as a feature from platform 4.18.2108.7 and above so make sure you are running the right platform to use this feature, and we don't want to install it separately like procmon, The PowerShell command-line tool will help to collect the performance recording an individual endpoint and reports information for top scans, processes, file and file extension which ate most affected by Defender AV, Here I will use Android Studio and will run performance analyzer to see the activity of Defender AV scan
Minimum requirements to run this tool
Supported Windows Version: Windows 10,Windows 11 and Server 2016 and Above Platform Version:4.18.2108.7 and above Powershell version: PowerShell Version 5.1
There are two PowerShell cmdlets used for performance analysis of defender AV
1. New-MpPerformanceRecording 2. Get-MpPerformanceReport
Step 1: To start a performance recording you need to start PowerShell with elevated administrator privilege and use the PowerShell cmdlet
New-MpPerformanceRecording -RecordTo (Specify the path to store the recording)
this will start recording during this time run the build or the other task which you think the cause of performance impact so that the performance analyzer can capture that
when you have finished capturing, press <Enter> or <Ctrl-C> to stop the recording and it will be saved in the location mentioned
Now the recording is saved in ETL format
Step 2: Now the recording is saved we can use the below PowerShell Cmdlet to read the Performance Recording
Get-MpPerformanceReport [-path] (specify the path where recording is saved ) <String>
Below are the parameters for cmdLet Get-MpPerformanceReport
You can read the report based on Specific Parameters for example to check the top 20 files scanned by Defender VA, based on the query you can view data for scan counts, duration (Total/Min/Average/max/Median), path, and process
You can use nested grouping to get a more detailed report for example if you need to know which are the top processes that impact the AV scan time and the top scans associated with each you can run the below command
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 2 -TopScansPerProcess 3
In my case, I am looking for the top Two processes and the top Three scans associated with those processes, you can use nested grouping for TopProcesses, TopFiles, TopExtensions, TopScans, and with MinDuration.
You can use the below commands for each value, You need to provide your recoding saved location.
1. Top Three files
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopFiles 3
This will display the top three file paths scanned by defender AV you can change the value from three to as per your preference.
2. Top Three Extensions
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopExtensions 3
3. Top Five Processes
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 5
4. Top Ten Scans
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 10
5. Top Twenty Scans in Minimum Duration of 100MS (-MinDurations can be used along with other parameters)
Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 20 -MinDuration 100Ms
You can use nested parameters for the more granular report as I mentioned earlier from the available syntax.
Converting & Exporting the Report to CSV & JSON
You can export or convert the report to CSV or JSON file
To Covert to CSV
(Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 20).TopScans | ConvertTo-Csv -NoTypeInformation
To Convert to JSON File
(Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 5).TopScans | ConvertTo-Json -depth:1
To export to CSV
(Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 2000).TopProcesses | Export-Csv -Path C:\temp\Processes.csv
File Output example