amp-05-windows-tune

amp-05-windows-tune copied to clipboard

AMP for Endpoints Windows Tuning Tool:

Windows Endpoint tuning tool provides a quick view of top file and process scans occurring on a connector, designed to assist with performance tuning.

Before using you must have the following:

Debug diagnostic file from the host in question

Usage:

Place PE in the directory where the debug diagnostic file is to run the tool.

Diag_analyzer.exe 
	- will use the first diagnostic in the directory alphabetically
```	
OR

Additional flags: -t "": specify time for log inclusion

time format: 3_letter_month 2_digit_day 24hour:minute:second i.e. Jan 01 01:01:01 is January 1st at 1:01:01AM

Example: Diag_analyzer.exe -t "Jan 01 01:01:01" Results will be based on the logs starting at specified time until end of logs

-i : specify diagnostic file Example: Diag_analyzer.exe -i Cisco_AMP_Diag.7z Results will be based on the specified diagnostic file

-d : specify a directory of Diagnostic files to be analyzed Example: Diag_analyzer.exe -d C:/Users/testUser/Diagnostics - Will process all AMP diagnostics in the directory with the execuatable - Use "-d ." to process current directory
- Do not put quotes around the path

Combo results Example: Diag_analyzer.exe -i Cisco_AMP_diah.7z -t "Jan 01 01:01:01" Results: Specified diagnostic file will be analyzed from Jan 1st, 01:01:01 AM to current

Diag_analyzer.exe will check the provided AMP diagnostic file for sfc.exe.log files.  
It will then create a directory with the diagnostic file name and store the log files outside of the .7z, in the parent directory of the diagnostic.
Next, it will parse the logs and determine the Top 10 Processes, Files, Extensions and Paths.
Finally, it will print that information to the screen and also to a {Diagnostic}-summary.txt file.

### Example script output:  

Top 10 Processes: 423 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 308 C:\Windows\explorer.exe 168 C:\Users\testuser\AppData\Local\Programs\Python\Python37-32\python.exe 150 C:\Users\testuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\usr\bin\python3.6 112 C:\Program Files\JetBrains\PyCharm Community Edition 2018.3\bin\pycharm64.exe 83 C:\Windows\System32\wbem\WmiPrvSE.exe 64 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 55 C:\Program Files (x86)\Atlassian\HipChat4\HipChat.exe 29 C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE 25 C:\Windows\System32\svchost.exe

Top 10 Files: 22 C:\Windows\CCM\clientstate.dat 21 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive 13 C:\Users\testuser.PyCharmCE2018.3\system\caches\records.dat 10 C:\ProgramData\NVIDIA Corporation\Drs\nvAppTimestamps 10 C:\Users\testuser.PyCharmCE2018.3\system\caches\contentHashes.dat.keystream 10 C:\Users\testuser.PyCharmCE2018.3\system\caches\contentHashes.dat_i 10 C:\Users\testuser.PyCharmCE2018.3\system\caches\contentHashes.dat 9 C:\Users\testuser.PyCharmCE2018.3\config\options\recentProjectDirectories.xml 9 C:\Users\testuser\AppData\Local\Temp\decompress.py.idea\workspace.xml___jb_tmp___ 8 C:\Windows\CCM\StateMessageStore.sdf

Top 10 Extensions: 372 txt 233 tmp 81 gz 56 dat 53 vbs 52 xml 50 db 45 ps1 39 tar 22 psm1

Top 100 Paths: 306 C:\Users\testuser\Desktop\TEST\decompress 293 C:$Recycle.Bin\S-1-5-21-1708537768-1303643608-725345543-9394300 168 C:\Users\testuser\AppData\Local\Google\Chrome\User Data\Default\Cache 167 C:\Users\testuser\AppData\Local\Google\Chrome\User Data\Default 75 C:\Windows\CCM\SystemTemp 46 C:\Windows\Temp ...

All Files: 22 C:\Windows\CCM\clientstate.dat 21 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive