Excessive CPU Troubleshooting
Although Directory Monitor aims to be as efficient as possible, sometimes overloading or bad configuration can cause high CPU usage. This article helps to identify why high CPU usage can occur and what you can do fix it.
High Volume Monitoring
Processing monitoring events can be intensive depending on which options you have enabled. The most intensive being user and process detection. Applying automation (writing to file, emailing, inserting to database, executing an external application etc.) will add to the CPU requirements since these tasks are performed for every single event.
On high performance machines Directory Monitor, can process up to 400 events per second with all options enabled. If your combined directory configuration exceeds this, you may start hitting CPU usage limits as well.
If your limits are being reached, split monitoring responsibilities across multiple machines to balance the load.
You can even split by event type across different machines on the same directory (new events on one machine, deletes on another).
Make use of the service for high volumes, it can handle many more events because there is no user interface to update.
If a single directory creates more events than the machine can handle, evaluate if you actually need everything to be processed, Directory Monitor simply may not be the right solution.
WMI Configuration
This will be relevant when using user and process detection. If Directory Monitor struggles to maintain WMI connections, constant reconnection and preloading will quickly spike the CPU usage on the machine.
A common error message you will see when the configuration is incorrect would be "WMI security monitor was cancelled for [PATH], firewall applications could be blocking the WMI requests. User detection may not be possible if WMI calls are being cancelled."
Ensure all the correct permissions and firewall settings are applied so that connections to it can stay persistent. The configuration assistant can help with this.
Check the Activity Log tab for warnings and errors. Directory Monitor tries to be as reliable as possible so will push hard to re-establish connectivity and reload data when there are failures of any kind.
If you are still experiencing problems around WMI, send us a problem report (Help -> Report a Problem) and ensure you agree to run WMI diagnostics. This can take up to five minutes to complete.
Filters
Applying a lot of include and exclude filters can also play a part in excessive CPU usage.
Try to reduce the number of filters, or use more directory configurations that are more specific to what you want to monitor.
Put high probability filters first since they are checked in order. You can avoid a lot of filter checks by placing the most commonly applied ones higher in the list.
Filters on high volume directories will increase the load on the CPU, all events are still captured and run through the filters.
Local Network Shares
Monitoring network shares that are exposed from the same machine is not optimal. Monitoring a local share through the UNC path causes an unnecessary network loopback to the same machine.
Only use the UNC network share path if the share is from a remote machine. This also simplifies user detection because the underlying path does not need to be resolved.
Changes to a directory will always be detected whether they are made locally or over the network. You do not need to monitor the share to detect changes being made, monitoring the local directory will have the same result with better performance.
User Interface
The user interface can struggle to keep up with displaying monitoring events in high volume scenarios. The constant updating of the text or grid log can play a role in excessive CPU usage.
If you are making use of the service feature, consider disabling the various log views if you are only using the user interface for configuration (Log -> Uncheck Text/Grid Log).
Multiple column grouping on the Grid Log can affect performance, you will get a warning if applying the grouping is taking too long.
Do not use Directory Monitor to analyse log data, rather use the free Text Log (Directories -> Add/Edit -> Text Log) to export the data and use an application more suited for this task (such as Excel).