WINDOWS PERFORMANCE OBJECTS DATA

Performance objects built into the Windows XP Professional with Service Pack 2 provide data concerning objects on a computer, including hardware components such as objects called Pro- cessor, Cache, Memory, Physical Disk and Network Interface, and services or server programs such as objects called Server, WINS (Windows Internet Name Service), ICMP, TCP, UDP, and IP [1]. There is also a System object. More examples of performance objects are given in Table 7.1. Some performance objects, such as the Process object, have more than one instance. Each performance object has counters which provide data representing various activity, state and performance aspects. By our definition of activity, state and performance in Chapter 1, not only performance data but also activity and state data of an object are covered by counters of that object. For example, the performance object, Network Interface, has a counter, Packets Received/sec, which summarizes arriving packet activities at the network interface. This object also has a counter, Output Queue Length (in the unit of packets), which captures the state (i.e., length) of the output packet queue. Another counter of the object, Packets Outbound Errors, gives one measure of the data transmission performance in the number of outbound packets which could not be transmitted due to errors. Table 7.1 gives examples of counters for a number of performance objects.

Secure Computer and Network Systems: Modeling, Analysis and Design Nong Ye C

2008 John Wiley & Sons, Ltd

Table 7.1 Examples of performance objects and their counters

Performance object Counters

ACS (Admission Control Service)/RSVP (Resource Reservation Protocol) Service

Failed QoS requests RSVP sessions

Active Server Pages Request Execution Time

Request Wait Time Requests Failed Total Requests Queued Session Duration Session Total

Browser Illegal Datagrams/sec

Missed Server Annoucements Server List Requests/sec

Cache Copy Reads/sec

Copy Read Hits % Data Maps Hits %

FTP Service Current Connections

FTP Service Uptime Total Anonymous Users Total Connection Attempts Total Files Received Total Files Sent Total Login Attempts

HTTP Indexing Service Active Queries

Queries per minute Total Queries

Total Requests Rejected IAS Authentication Clients Access Accepts/sec

Access Rejects/sec Bad Authenticators Malformed Packets IAS Authentication Server Duplicate Access-Requests

Invalid Requests Malformed Packets Server Up Time

ICMP Messages/sec

Received Dest. Unreachable Received Echo/sec

Indexing Service Files to be Indexed

Index Size Total # Documents

Indexing Service Filter Binding Time

Indexing Speed (MB/hr) Internet Information Services Global Object BLOB Cache Flushes

Current File Cache Memory Usage Current URIs Cached

Measured Async I/O Bandwidth Usage

IP Datagrams/sec

Datagrams Received Header Errors Fragment Reassembly Failures

Windows performance objects data 109

Performance object Counters

Job Object Current % Kernel Mode Time

Current % Processor Time Process Count – Active

Job Object Details % Privileged Time

I/O Data Operations/sec Page Faults/sec Pool Nonpaged Bytes

Memory % Committed Bytes in Use

Available Bytes Cache Faults/sec Page Faults/sec

System Code Resident Bytes

MSMQ Queue Bytes in Queue

MSMQ Queue Service Incoming Messages/sec

IP Sessions

Total Messages in all Queues

Network Interface Bytes Received/sec

Current Bandwidth Output Queue Length Packets Outbound Errors

Objects Events

Processes Threats

Paging File % Usage

% Usage Peak

Physical Disk % Disk Time

Current Disk Queue Length Disk Reads/sec

Print Queue Job Errors

Total Pages Printed

Process % Privileged Time

Handle Count ID Process

IO Read Operations/sec Page Faults/sec

Processor % Privileged Time

% User Time DPC Rate Interrupts/sec RAS (Remote Access Service) Port Alignment Errors

Buffer Overrun Errors Frames Received/sec Serial Overrun errors

Redirector Bytes Received/sec

Current Commands Network Errors/sec Reads Large/sec Server Reconnects

Table 7.1 (Continued )

Performance object Counters

Server Bytes Total/sec

Errors Login File Directory Search File Opened Total Session Timed Out

Server Work Queues Active Threads

Available Work Items Current Clients Queue Length Total Bytes/sec

System % Registry Quota in Use

Context Switches/sec File Control Operations/sec Processes

Processor Queue Length System Calls/sec System Up Time TCP Connection Failures Connections Active Connections Reset Segments/sec

Telephony Active Lines

Current Incoming Calls Outgoing Calls/sec

Thread % Privileged Time

% User Time Context Switches/sec Priority Current Thread State Thread Wait Reason

UDP Datagrams Not Port/sec

Datagrams Received Errors Datagrams/sec

Web Service Anonymous Users/sec

Bytes Total/sec CGI Requests/sec Connection Attempts/sec Current Connections Get Requests/sec Locked Errors/sec Logon Attempts/sec Service Uptime Total Files Transferred Total Not Found Errors Terminal Services Session Object Input Errors

Output Bytes

Total Async Frame Error Total Protocol Cache Hits

Description of attacks and normal use activities 111 Each counter is logged using the counter path which specifies the computer name, object, instance, instance index and counter in the following format:

Computer-name\Object name(Instance name#Index number)\Counter name.

An example of a counter specified by the counter path is:

ALPHA02\Process(services)\%Processor Time,

for the % Processor Time counter of the services instance of the Process object on a computer named ALPHA02.

The performance objects and their counters can be selected and configured by clicking Start, Control Panel, Performance and Maintenance, Administrative Tools, and finally Performance on a computer running the Windows XP Professional with Service Pack 2, where the description of each counter is also available.

7.2 DESCRIPTION OF ATTACKS AND NORMAL USE ACTIVITIES