Get-MpPerformanceReport
This cmdlet reports the file paths, file extensions, and processes that cause the highest impact to Microsoft Defender Antivirus scans.
Syntax
Get-MpPerformanceReport
[-Path] <String>
[-TopFiles <Int32>]
[-TopScansPerFile <Int32>]
[-TopProcessesPerFile <Int32>]
[-TopScansPerProcessPerFile <Int32>]
[-TopPaths <Int32>]
[-TopPathsDepth <Int32>]
[-TopScansPerPath <Int32>]
[-TopFilesPerPath <Int32>]
[-TopScansPerFilePerPath <Int32>]
[-TopExtensionsPerPath <Int32>]
[-TopScansPerExtensionPerPath <Int32>]
[-TopProcessesPerPath <Int32>]
[-TopScansPerProcessPerPath <Int32>]
[-TopExtensions <Int32>]
[-TopScansPerExtension <Int32>]
[-TopPathsPerExtension <Int32>]
[-TopScansPerPathPerExtension <Int32>]
[-TopFilesPerExtension <Int32>]
[-TopScansPerFilePerExtension <Int32>]
[-TopProcessesPerExtension <Int32>]
[-TopScansPerProcessPerExtension <Int32>]
[-TopProcesses <Int32>]
[-TopScansPerProcess <Int32>]
[-TopFilesPerProcess <Int32>]
[-TopScansPerFilePerProcess <Int32>]
[-TopExtensionsPerProcess <Int32>]
[-TopScansPerExtensionPerProcess <Int32>]
[-TopPathsPerProcess <Int32>]
[-TopScansPerPathPerProcess <Int32>]
[-TopScans <Int32>]
[-MinDuration <String>]
[-MinStartTime <DateTime>]
[-MinEndTime <DateTime>]
[-MaxStartTime <DateTime>]
[-MaxEndTime <DateTime>]
[-Overview]
[-Raw]
[<CommonParameters>] Description
This cmdlet analyzes a previously collected Microsoft Defender Antivirus performance recording and reports the file paths, file extensions and processes that cause the highest impact to Microsoft Defender Antivirus scans.
The performance analyzer provides insight into problematic files that could cause performance degradation of Microsoft Defender Antivirus. This tool is provided "AS IS", and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.
Examples
EXAMPLE 1
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10EXAMPLE 2
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10 -Raw | ConvertTo-JsonEXAMPLE 3
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10EXAMPLE 4
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10EXAMPLE 5
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopScansPerFile:3EXAMPLE 6
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopProcessesPerFile:3EXAMPLE 7
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopProcessesPerFile:3 -TopScansPerProcessPerFile:3EXAMPLE 8
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10EXAMPLE 9
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3EXAMPLE 10
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopScansPerPath:3EXAMPLE 11
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopScansPerPath:3EXAMPLE 12
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopFilesPerPath:3EXAMPLE 13
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopFilesPerPath:3EXAMPLE 14
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopFilesPerPath:3 -TopScansPerFilePerPath:3EXAMPLE 15
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopFilesPerPath:3 -TopScansPerFilePerPath:3EXAMPLE 16
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopExtensionsPerPath:3EXAMPLE 17
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopExtensionsPerPath:3EXAMPLE 18
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopExtensionsPerPath:3 -TopScansPerExtensionPerPath:3EXAMPLE 19
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopExtensionsPerPath:3 -TopScansPerExtensionPerPath:3EXAMPLE 20
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopProcessesPerPath:3EXAMPLE 21
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopProcessesPerPath:3EXAMPLE 22
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopPathsDepth:3 -TopProcessesPerPath:3 -TopScansPerProcessPerPath:3EXAMPLE 23
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopPaths:10 -TopProcessesPerPath:3 -TopScansPerProcessPerPath:3EXAMPLE 24
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10EXAMPLE 25
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopScansPerExtension:3EXAMPLE 26
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopPathsPerExtension:3EXAMPLE 27
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopPathsPerExtension:3 -TopPathsDepth:3EXAMPLE 28
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopPathsPerExtension:3 -TopPathsDepth:3 -TopScansPerPathPerExtension:3EXAMPLE 29
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopPathsPerExtension:3 -TopScansPerPathPerExtension:3EXAMPLE 30
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopFilesPerExtension:3EXAMPLE 31
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopFilesPerExtension:3 -TopScansPerFilePerExtension:3EXAMPLE 32
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopProcessesPerExtension:3EXAMPLE 33
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopExtensions:10 -TopProcessesPerExtension:3 -TopScansPerProcessPerExtension:3EXAMPLE 34
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10EXAMPLE 35
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopScansPerProcess:3EXAMPLE 36
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopExtensionsPerProcess:3EXAMPLE 37
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopExtensionsPerProcess:3 -TopScansPerExtensionPerProcess:3EXAMPLE 38
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopFilesPerProcess:3EXAMPLE 39
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopFilesPerProcess:3 -TopScansPerFilePerProcess:3EXAMPLE 40
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopPathsPerProcess:3EXAMPLE 41
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopPathsPerProcess:3 -TopPathsDepth:3EXAMPLE 42
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopPathsPerProcess:3 -TopPathsDepth:3 -TopScansPerPathPerProcess:3EXAMPLE 43
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopPathsPerProcess:3 -TopScansPerPathPerProcess:3EXAMPLE 44
Find top 10 scans with longest durations that both start and end between MinStartTime and MaxEndTime:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:"5/14/2022 7:01:11 AM" -MaxEndTime:"5/14/2022 7:01:41 AM"EXAMPLE 45
Find top 10 scans with longest durations between MinEndTime and MaxStartTime, possibly partially overlapping this period
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinEndTime:"5/14/2022 7:01:11 AM" -MaxStartTime:"5/14/2022 7:01:41 AM"EXAMPLE 46
Find top 10 scans with longest durations between MinStartTime and MaxStartTime, possibly partially overlapping this period
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:"5/14/2022 7:01:11 AM" -MaxStartTime:"5/14/2022 7:01:41 AM"EXAMPLE 47
Find top 10 scans with longest durations that start at MinStartTime or later:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:"5/14/2022 7:01:11 AM"EXAMPLE 48
Find top 10 scans with longest durations that start before or at MaxStartTime:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MaxStartTime:"5/14/2022 7:01:11 AM"EXAMPLE 49
Find top 10 scans with longest durations that end at MinEndTime or later:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinEndTime:"5/14/2022 7:01:11 AM"EXAMPLE 50
Find top 10 scans with longest durations that end before or at MaxEndTime:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MaxEndTime:"5/14/2022 7:01:11 AM"EXAMPLE 51
Find top 10 scans with longest durations, impacting the current interval, that did not start or end between MaxStartTime and MinEndTime.
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MaxStartTime:"5/14/2022 7:01:11 AM" -MinEndTime:"5/14/2022 7:01:41 AM"EXAMPLE 52
Find top 10 scans with longest durations, impacting the current interval, that started between MinStartTime and MaxStartTime, and ended later than MinEndTime.
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:"5/14/2022 7:00:00 AM" -MaxStartTime:"5/14/2022 7:01:11 AM" -MinEndTime:"5/14/2022 7:01:41 AM"EXAMPLE 53
Find top 10 scans with longest durations, impacting the current interval, that started before MaxStartTime, and ended between MinEndTime and MaxEndTime.
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MaxStartTime:"5/14/2022 7:01:11 AM" -MinEndTime:"5/14/2022 7:01:41 AM" -MaxEndTime:"5/14/2022 7:02:00 AM"EXAMPLE 54
Find top 10 scans with longest durations, impacting the current interval, that started between MinStartTime and MaxStartTime, and ended between MinEndTime and MaxEndTime.
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:"5/14/2022 7:00:00 AM" -MaxStartTime:"5/14/2022 7:01:11 AM" -MinEndTime:"5/14/2022 7:01:41 AM" -MaxEndTime:"5/14/2022 7:02:00 AM"EXAMPLE 55
Find top 10 scans with longest durations that both start and end between MinStartTime and MaxEndTime, using DateTime as raw numbers in FILETIME format, e.g. from -Raw report format:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinStartTime:([DateTime]::FromFileTime(132969744714304340)) -MaxEndTime:([DateTime]::FromFileTime(132969745000971033))EXAMPLE 56
Find top 10 scans with longest durations between MinEndTime and MaxStartTime, possibly partially overlapping this period, using DateTime as raw numbers in FILETIME format, e.g. from -Raw report format:
Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:10 -MinEndTime:([DateTime]::FromFileTime(132969744714304340)) -MaxStartTime:([DateTime]::FromFileTime(132969745000971033))EXAMPLE 57
Display a summary or overview of the scans captured in the trace, in addition to the information displayed regularly through other arguments. Output is influenced by time interval arguments MinStartTime and MaxEndTime.
Get-MpPerformanceReport -Path:.\Defender-scans.etl [other arguments] -OverviewParameters
-MaxEndTime
Specifies the maximum end time of scans included in the report. Accepts a valid DateTime.
| Type: | DateTime |
| Position: | Named |
| Default value: | [DateTime]::MaxValue |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MaxStartTime
Specifies the maximum start time of scans included in the report. Accepts a valid DateTime.
| Type: | DateTime |
| Position: | Named |
| Default value: | [DateTime]::MaxValue |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MinDuration
Specifies the minimum duration of any scans or total scan durations of files, extensions and processes included in the report. Accepts values like '0.1234567sec' or '0.1234ms' or '0.1us' or a valid TimeSpan.
| Type: | String |
| Position: | Named |
| Default value: | 0us |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MinEndTime
Specifies the minimum end time of scans included in the report. Accepts a valid DateTime.
| Type: | DateTime |
| Position: | Named |
| Default value: | [DateTime]::MinValue |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MinStartTime
Specifies the minimum start time of scans included in the report. Accepts a valid DateTime.
| Type: | DateTime |
| Position: | Named |
| Default value: | [DateTime]::MinValue |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Overview
Adds an overview or summary of the scans captured in the trace to the regular output.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Path
Specifies the location of Microsoft Defender Antivirus performance recording to analyze.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Raw
Specifies that the output should be machine readable and readily convertible to serialization formats like JSON.
- Collections and elements are not be formatted.
- TimeSpan values are represented as number of 100-nanosecond intervals.
- DateTime values are represented as number of 100-nanosecond intervals since January 1, 1601 (UTC).
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopExtensions
Requests a top extensions report and specifies how many top extensions to output, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopExtensionsPerPath
Specifies how many top extensions to output for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopExtensionsPerProcess
Specifies how many top extensions to output for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopFiles
Requests a top files report and specifies how many top files to output, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopFilesPerExtension
Specifies how many top files to output for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopFilesPerPath
Specifies how many top files to output for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopFilesPerProcess
Specifies how many top files to output for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopPaths
Requests a top paths report and specifies how many top entries to output, sorted by "Duration". This is called recursively for each directory entry. Scans are grouped hierarchically per folder and sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopPathsDepth
Specifies the maxmimum depth (path-wise) that will be used to group scans when $TopPaths is used.
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopPathsPerExtension
Specifies how many top paths to output for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopPathsPerProcess
Specifies how many top paths to output for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopProcesses
Requests a top processes report and specifies how many top processes to output, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopProcessesPerExtension
Specifies how many top processes to output for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopProcessesPerFile
Specifies how many top processes to output for each top file, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopProcessesPerPath
Specifies how many top processes to output for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScans
Requests a top scans report and specifies how many top scans to output, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerExtension
Specifies how many top scans to output for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerExtensionPerPath
Specifies how many top scans to output for each top extension for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerExtensionPerProcess
Specifies how many top scans to output for each top extension for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerFile
Specifies how many top scans to output for each top file, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerFilePerExtension
Specifies how many top scans to output for each top file for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerFilePerPath
Specifies how many top scans to output for each top file for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerFilePerProcess
Specifies how many top scans to output for each top file for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerPath
Specifies how many top scans to output for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerPathPerExtension
Specifies how many top scans to output for each top path for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerPathPerProcess
Specifies how many top scans to output for each top path for each top process, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerProcess
Specifies how many top scans to output for each top process in the Top Processes report, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerProcessPerExtension
Specifies how many top scans to output for each top process for each top extension, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerProcessPerFile
Specifies how many top scans to output for each top process for each top file, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TopScansPerProcessPerPath
Specifies how many top scans to output for each top process for each top path, sorted by "Duration".
| Type: | Int32 |
| Position: | Named |
| Default value: | 0 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |