Knowledge Center

This article provides basic information about the Minimum Data Collection steps for troubleshooting common ENS issues.

Ensure that all logs are collected from the same system that experiences the issue, and that all logs are collected at the same time. The logging data time stamps can be used to troubleshoot the problem.

Mismatched logs from different systems, or logs collected at different times, cannot be used for troubleshooting, and might result in having to recollect all Minimum Data Collection logs.
 

• Minimum Escalation Requirements (MER) files with debug logging for ENS are required for all issues. For information about debug logging, see Verify whether ENS debug logging is enabled. For information about how to download the MER files for each McAfee product, see KB59385.

Collect other files and logs for each issue below:

• Slow boot or startup
• Slow logon
• Slow application startup (reproducible or random)
• Slow application performance (reproducible or random)
• Slow system performance (reproducible or random)
• System hang or deadlock
• System BugCheck (blue screen)
• Application hang or deadlock (not responding and does not recover)
• Application crash
• Memory leak (user or kernel mode)
• Issues related to Device Guard or Credential Guard
• One or more ENS components fail to install
• The status of ENS is: Endpoint Security Platform is not running!
• Third-party DLL injection
• Issues related to Threat Intelligence Exchange (TIE)
• Issues related to ENS Firewall

The following sections describe what data to collect for each type of issue.

Depending on the issue, the following tools might be required:

• AMTrace - an internal tool to collect logging data from AMCore (last updated October 11, 2018)
• Windows Performance Recorder - a tool from Microsoft
• Process Monitor - a tool from Microsoft

See the following steps for instructions to prepare and use the tools.

  How to use AMTrace to collect logging data from AMCore:

1. Prepare AMTrace:
   1. Download the zip package ENSDataCollect.zip from the Attachment section of this article.
   2. Extract the contents to the Desktop.
       
2. Run AMTrace:
   1. Click Start, type cmd.exe in the Search bar, right-click cmd.exe from the list, and select Run as administrator. 
   2. When you are ready to start a trace, use the command option below, that the relevant data collection section requires.
      
      NOTE: The following are the paths to the AMTrace.exe file locations:
      • C:\Users\username\Desktop\ENSDataCollect\AMTracex86
      • C:\Users\username\Desktop\ENSDataCollect\AMTracex64
         
      AMTrace command options:
       
      • To use the AMTrace onboot option, run the following command:
         
        AMTrace.exe -b onboot -m 2GB
         
        This command instructs the tool to begin a trace at the next boot.
         
        NOTE: The "GB" is case sensitive. This example limits the log size to 2 GB. 10 MB is the minimum accepted value, and 512 MB is the default if not specified.
         
      • To use AMTrace with the now option:
         
        AMTrace.exe -b now -m 2GB
         
        This command instructs the tool to begin a trace immediately.
         
        NOTE: The "GB" is case sensitive. This example limits the log size to 2 GB.
         
      • To use AMTrace with the rollover option:
         
        AMTrace.exe -b now -m 2GB -L rollover 
         
        NOTE: The "L" and "GB" are case sensitive.
         
        This command instructs the tool to begin a trace immediately, and to limit the log size to 2 GB. When the log reaches 2 GB, a new log is created. The name of the log is appended with _1 for the first log, _2 for the second log, and so on, until the rollover count is reached. When the rollover count is reached, the _1 log is overwritten. This process continues until you stop the trace, the user logs off, or you shut down the system.
         
   3. Stop the trace and save the log. Use the following command:
       
      AMTrace -e

To confirm whether an AMTrace is in progress, run the following command to list any active traces:
AMTrace -q


For a demonstration of how to collect AMTrace data with this procedure, watch the following video:



Back to top

How to use Windows Performance Recorder (WPR):
Run wprui.exe:

1. Click Start, type cmd.exe in the Search bar, right-click cmd.exe from the list, and select Run as administrator. 
2. Type wprui.exe and press Enter to start WPR.
    
   NOTE: If the program does not run or is not found, you must first install it. WPR is part of the Windows Performance Toolkit, available from the Windows SDK or the Windows Assessment and Deployment Kit:
   • For Windows SDK, see https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk.
   • For Windows Assessment and Deployment Kit, see https://msdn.microsoft.com/en-us/windows/hardware/commercialize/test/wpt/index.
      
3. Choose to use a Performance Scenario and other settings, as recommended in the following table:
    

   Performance Issue	Performance Scenario	Detail Level	Logging Mode	Profiles to Include	Number of Iterations
   Slow boot or logon	Boot	See below	File	First-level Triage, CPU usage, File I/O activity, Minifilter I/O Activity	At least 1
   High CPU usage	General	See below	File	First-level Triage, CPU usage, File I/O activity, Minifilter I/O Activity	N/A
   Application is slow or unresponsive	General	See below	File	First-level Triage, CPU usage, File I/O activity, Minifilter I/O Activity	N/A

    
   WPR data is collected to allow for deeper analysis of the problem. The "Minifilter I/O Activity" option is one of the most important and is located under the "Scenario Analysis" section.
   
   The use of WPR places additional strain on the system, which can change or mask the original problem you want to investigate. Collect two data sets with different detail levels. Use the Light setting to show the issue, and the Verbose setting to allow a data set suitable for deeper analysis. Capture at least 30 seconds.
   
   When possible, collect a WPR log without the issue while you perform the same task, for comparative purposes. A data set without ENS present is needed to establish the benchmark for expected performance.  

For a demonstration of how to collect WPR data with this procedure, watch the following video:



Back to top

How to use Process Monitor:

1. Prepare Process Monitor:
   1. Download Process Monitor from: https://technet.microsoft.com/en-us/library/bb896645.aspx.
   2. Extract Procmon.exe to the Desktop.
       
2. Run Process Monitor:
   1. When you are ready to start Process Monitor, use the option below, that the relevant data collection section requires.
      • To immediately start Process Monitor:
        1. Run Procmon.exe and it automatically starts to capture process information.
        2. To stop Process Monitor, press Ctrl+E or click File and deselect Capture Events. Press Ctrl+E again to resume data collection.
        3. To save the log, click File, Save... (select All Events and use the native PML format).
            
      • To enable the Process Monitor boot logging option if required by the relevant data collection section:
        1. Open the Process Monitor console.
        2. Click Options.
        3. Click Enable Boot Logging.
        4. Click OK on the pop-up window. The next time a reboot occurs, a boot trace log is created.
        5. To save the log, run Process Monitor again and click File, Save... (select All Events and use the native PML format).

For a demonstration of how to collect Process Monitor data with this procedure, watch the following video: