Defender performance analyzer
Sometimes when real-time protection and on-demand scanning takes a bit of time. It’s sometimes difficult to see exactly what it’s doing and what takes time.
A new set of PowerShell cmd-lets have been released which allows us to do a performance recording of defender, New-MpPerformanceRecording and Get-MpPerformanceReport, and troubleshooting performance.
When showing the help of the cmd-let we can see that there are two parameters
- -RecordTo <string>: The path of the outputfile
- -Seconds <int>: Number of seconds to run the recording
The seconds parameter is useful when running none-interactive sessions against multiple devices
Using the performance recorder
In PowerShell, we use the command New-MpPerformanceRecording and specify the output .etl file.
New-MpPerformanceRecording -RecordTo .\scan.etl
This will start the recorder

We can press Enter at any time to stop the recording and Ctrl-C if we want to abort.

The output file is saved and we can now open it with the cmd-let Get-MpPerformanceReport

The cmd-let allows us to look at the data in different ways
- -TopFiles
- -TopScansPerFile
- -TopProcessesPerFile
- -TopScansPerProcessPerFile
- -TopExtensions
- -TopScansPerExtension
- -TopFilesPerExtension
- -TopScansPerProcess
- etc…
Example
Get-MpPerformanceReport -Path .\scan.etl -TopFiles 1

Another example of output

Since it’s a ETL file we can actually open it with any ETL viewer, however, the result is not presented to us in the same way

We can see that Windows Performance Recorder is used under the hood

IMPORTANT, If you plan to use this troubleshooting to find paths for exclusions, be very careful. You might accidently open up your device to threats. If you are not 100% certain of your exclusions, please ask for help!
Happy Hunting!
/Sec-Labs Team