question

VenkataSNMPrayaga-8521 avatar image
0 Votes"
VenkataSNMPrayaga-8521 asked DSPatrick commented

Looking for the right API to get seprate Disk and Network for each Process

For each Process running on the machine, I am looking to get Disk Read bytes and Disk Write bytes and also Network IO Send and Receive bytes.

I find "GetProcessIoCounters" but the documentation is not clear as to whether the IO bytes are an aggregate of Disk and Network as well??

On the other hand Win32_PerfRawData_PerfProc_Process reports aggregate I/O as bytes/second while I am looking to get actual read and write bytes for Disk and Network.

ETW tracing seems to be heavy weight , however doesn't seem to report Disk read and Write at the Process level.
Perfomance Counters too only seem to report only aggregate bytes/second and doesn't distinguish between Disk and Network either.

Any help getting this help is greatly appreciated.

windows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Castorix31 avatar image
0 Votes"
Castorix31 answered DSPatrick commented

Resource Monitor uses
NtQuerySystemInformation (SYSTEM_PROCESS_INFORMATION)
and
GetExtendedTcpTable for network




· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Resource Monitor also uses ETW in "real time" mode. The Resource Monitor ETW session names start with "WDC." (for example "WDC.BE95A9B1-DE15-4B78-B923-A12AB70BE951") and the session includes the following providers:

  • Microsoft-Windows-Kernel-Process

  • Microsoft-Windows-Kernel-Network

  • Microsoft-Windows-Kernel-File

  • Microsoft-Windows-Kernel-Disk

  • {B2CA89D8-FAC8-4759-A0C7-2FAD1FD0E716} (not sure that this provider actually exists on my system)

  • Thread Pool ({C861D0E2-A2C1-4D36-9F9C-970BAB943A12})

Gary

P.S. Just discovered that {B2CA89D8-FAC8-4759-A0C7-2FAD1FD0E716} has the symbolic name WdcRundownProvGuid, so its events are probably not important when wanting to get an overview of Network/File/Disk activity.

1 Vote 1 ·

They're checking account now, I asked them to remove the erroneous suspension.




0 Votes 0 ·

Hooray, suspension removed!


0 Votes 0 ·