Windows 7: The PerfMon System and Security Test
While you may get an erroneous warning message regarding the absence of an antivirus solution, you can adjust PerfMon to report accurately.
Fisnik Hasani
The Reliability and Performance Monitor (PerfMon) was first introduced in Windows Vista. This was one of the new Microsoft Management Console (MMC) snap-in components that was truly helpful. This snap-in is still present in Windows 7 in a slightly modified version, yet its primary function remains the same.
During my time on the Microsoft Answers Forum, there were many posts that dealt with the PerfMon health report generator issue, especially when the report stated that the Security Center had not recorded an antivirus product. In this article, I’ll analyze and explain this issue and help you with a resolution.
The PerfMon System Health Report
PerfMon generates a complete system health report by collecting a lot of system information (see Figure 1), including:
- Software Configuration, which checks on the OS, Security Center, system services and data on start-up programs.
- Hardware Configuration, which checks on the disks, system, desktop rating (Windows Experience Index), BIOS, devices, interactive session processes, logged on users and user accounts.
- CPU, which includes checks and information on processor, CPU unit type, CPU interrupts, services and system.
- Network, which includes checks and information on outbound and inbound traffic, TCP version, interface, IP and User Datagram Protocol (UDP).
- Disk, which includes checks and information on hot files (those causing the most disk IOs), disk breakdown, physical disk and NTFS performance.
- Memory, which includes checks and information on process and counters.
.jpg "The Reliability and Performance Monitor in Windows 7 collects data and generates reports")
Figure 1 The Reliability and Performance Monitor in Windows 7 collects data and generates reports.
PerfMon gathers and checks the collected information and generates a report. Then you can analyze the report and determine whether or not your system has any issues—and, if so, what the possible solutions are. Built-in tools like this help a lot in the long run. Pay particular attention to whether or not the Security Center records an antivirus product.
There’s a small (and sometimes very common) issue that appears in the report that can sometimes be misleading. Action Center in Windows 7 sometimes reports that the antivirus is found and up-to-date, but the health report states the Security Center has not recorded the antivirus product (see Figure 2).
.jpg "A PerfMon report stating that Security Center could not record an antivirus product")
Figure 2 APerfMon report stating that Security Center could not record an antivirus product.
How does this discrepancy occur? There are two different factors at work. These two factors are simple to explain. It has to do with how PerfMon collects the Security Center data.
PerfMon collects information about the system with help from Windows Management Instrumentation (WMI) and some Registry data. The report it generates will clearly state that the Security Center hasn’t recorded an antivirus product, because it often checks the wrong WMI-root path.
There are two WMI-root paths available in Windows Vista and Windows 7. Some of the API changes in the Windows Security Center in Windows 7 (which has, in fact, become the Action Center) have affected the WMI queries and root paths.
Here’s the old WMI-root path (as it appeared in Windows XP):
\\Hostname\ROOT\SecurityCenter:AntiVirusProduct
Here’s the new WMI-root path:
\\Hostname\ROOT\SecurityCenter2:AntiVirusProduct
If PerfMon checks the wrong WMI-root path in Windows Vista and Windows 7, this can result in program code exception or NULL object property value. That causes PerfMon to state that Security Center has not recorded an antivirus product.
A quick way to verify this is to use some C# code and the System.Management references from the Microsoft .NET Framework. These include some useful classes to access WMI. The picture becomes brighter when you can select between two WMI-root paths. Then you can also see what’s causing this false information to appear in the PerfMon health report.
Before moving on to the second factor, look at the two different property dialogs that represent the AntivirusProduct data in the ROOT\SecurityCenter & ROOT\SecurityCenter2 (see Figure 3).
.jpg "The first AntivirusProduct Properties dialog includes properties actually stored under the old WMI-root path")
Figure 3 The first AntivirusProduct Properties dialog includes properties actually stored under the old WMI-root path.
Antivirus Issues
The second factor isn’t really caused by PerfMon checking in the wrong WMI-root path. It actually deals with both third-party and Microsoft’s own antivirus products. Many antivirus programs don’t use WMI to store details about their antivirus. However, some do.
Due to the API changes in the Security Center, many antivirus companies started storing their WMI data in the new path. It’s better if they store data in the both paths—then you can avoid the false error message: “The Security Center has not recorded an antivirus product.”
This issue can be relatively easy to fix. However, there are a couple of things you have to do. The first solution is to ask that your third-party antivirus company writes to the new WMI-root path only. The second solution is to send feedback to Microsoft and ask the company to ship a patch for Windows that removes the old WMI-root path and overwrites the old copy of the perfmon.exe in the %SYSTEMROOT%\System32 directory.
There’s another possible solution, as well. Antivirus companies can store data under both WMI-root paths, to avoid the false information issue in the PerfMon health report (see Figure 4).
.jpg "The first WMI-root path is the old one, and the second is the new one")
Figure 4 The first WMI-root path is the old one, and the second is the new one.
After saving the newly created object in the old WMI-root path, the false reporting from the PerfMon health report is gone (see Figure 5), which means the issue is resolved.
.jpg "After creating a new object under the old WMI-root path, PerfMon found the information and reported accurately")
Figure 5 After creating a new object under the old WMI-root path, PerfMon found the information and reported accurately.
As you can see, this is a simple issue, but can be complex to fix. Users manually create objects under the old WMI-root path. Addressing this can require that users have good computer skills and be intimately familiar with Windows. You also have to ensure that your antivirus companies are taking action and modifying their software to use both WMI-root paths.
.jpg "Joshua Hoffman")
**Fisnik Hasani**is the founder of ITknowledge24.com, a resource for IT professionals, and Microsoft MVP 2011 - Consumer Security, Microsoft Community Contributor. Visit his Web site at itknowledge24.com and follow him on Twitter at Twitter.com/ITknowledge24.