Get process owner from performance counters

%3CLINGO-SUB%20id%3D%22lingo-sub-3000459%22%20slang%3D%22en-US%22%3EGet%20process%20owner%20from%20performance%20counters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3000459%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning!%3C%2FP%3E%3CP%3EI'm%20having%20a%20bit%20of%20an%20issue%20with%20a%20farm%2C%20comprised%20of%2018%20nv24%20vm%2C%20each%20with%20a%20current%20session%20limit%20of%2024%20people.%3C%2FP%3E%3CP%3EThey%20are%20heavy%20cad%20users%2C%20and%20sometimes%20they%20will%20launch%20processes%20that%20effectively%20kill%20a%20host%20for%20a%20few%20minutes%2C%20to%20half%20an%20hour.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20I'm%20having%2C%20is%20that%20so%20far%20I%20haven't%20found%20a%20way%20to%20identify%20the%20user(s)%20responsible%20for%20those%20processes.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20log%20analytics%20set%20up%20with%20all%20counters%2C%20but%20I%20can't%20find%20a%20way%20to%20match%20a%20process%20with%20the%20owner.%20The%20only%20way%20I'm%20able%20to%20do%20it%20is%20with%20either%20powershell%20or%20an%20interactive%20session%2C%20both%20of%20wich%20won't%20run%20when%20the%20CPU%20is%20under%20heavy%20load.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20input%20on%20how%20to%20go%20about%20something%20like%20this%3F%20It%20seems%20like%20a%20very%20common%20issue%2C%20but%20I%20haven't%20been%20able%20to%20find%20any%20reference%20to%20a%20process%20owner%20in%20counters.%20The%20only%20thing%20I%20saw%20is%20the%20session%20number%20next%20to%20the%20process%20name%20if%20queried%20from%20log%20analytics%2C%20but%20it's%20hard%20at%20best%20to%20match%20with%20a%20session%20posthumously.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20any%20help%20you%20might%20give%20me.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3003367%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20process%20owner%20from%20performance%20counters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3003367%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1228269%22%20target%3D%22_blank%22%3E%40Enrico1433%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20note%20you%20mention%20the%20log%20analytics%20to%20match%20the%20Session%20ID%20is%20not%20viable%20post%20the%20event%20and%20initiating%20a%20process%20when%20the%20issue%20occurs%20is%20limited%20due%20to%20CPU%20load.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20logging%20when%20processes%20start%20up%20as%20a%20user%2C%20capturing%20their%20session%20ID%20and%20the%20process%20and%20timestamp%20initiated%20provide%20a%20reference%20which%20could%20be%20used%20in%20conjunction%20with%20the%20log%20analytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20process%20could%20be%20launched%20as%20the%20system%20or%20when%20a%20user%20logs%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%20class%3D%22%22%3E%40%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eserver_gov%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Good morning!

I'm having a bit of an issue with a farm, comprised of 18 nv24 vm, each with a current session limit of 24 people.

They are heavy cad users, and sometimes they will launch processes that effectively kill a host for a few minutes, to half an hour. 

 

The issue I'm having, is that so far I haven't found a way to identify the user(s) responsible for those processes. 

We have a log analytics set up with all counters, but I can't find a way to match a process with the owner. The only way I'm able to do it is with either powershell or an interactive session, both of wich won't run when the CPU is under heavy load. 

 

Do you have any input on how to go about something like this? It seems like a very common issue, but I haven't been able to find any reference to a process owner in counters. The only thing I saw is the session number next to the process name if queried from log analytics, but it's hard at best to match with a session posthumously.

 

Thank you very much for any help you might give me. 

1 Reply

@Enrico1433 

I note you mention the log analytics to match the Session ID is not viable post the event and initiating a process when the issue occurs is limited due to CPU load.

 

Would logging when processes start up as a user, capturing their session ID and the process and timestamp initiated provide a reference which could be used in conjunction with the log analytics.

 

The process could be launched as the system or when a user logs in.

 

@server_gov