Create a Windows PowerShell monitor

With this, you can create a monitor that runs a Windows PowerShell script to monitor specific performance information for troubleshooting a Windows process that may be having issues.

A maximum of 10 output pairs can be returned. If you exceed the maximum allowed, remove the excess output pairs or they will simply be ignored. You may need to log in with an administrator account to perform this action.

What needs to be monitored

The process you want to monitor is lsass.exe, which enforces security on the system for users who are logging on, changing passwords, and so forth. In particular, you want to monitor the average number of read operations performed to check for spikes.

You decide to use the Windows PowerShell monitor to run a PowerShell script that uses the Get-WmiObject call to measure the average ReadOperationCount for the lsass.exe process and monitor its value.

  1. On the Web Console, click Settings > All Settings > SAM Settings > Create a New Template.
  2. Name the template, for example, Lsass.exe PowerShell Monitor.
  3. Click Add Component Monitor, then expand the Custom Component Monitors group, and then select WindowsPowerShell Monitor and click Add.
  4. Select the Credential for Monitoring with appropriate permissions to run the script on the SolarWinds SAM server, and that also has appropriate permissions to do whatever else the script requires (in this case, to get the average number of read operations performed on the target node).
  5. Select the Execution Mode to use:
    • Local Host can run scripts only locally, that is, on the SolarWinds SAM server.
    • Remote Host can execute scripts remotely (on the remote target node to which the Windows PowerShell monitor is assigned) using the Windows Remote Management (WRM) system component. WRM should be configured separately to get it working with the Windows PowerShell monitor.
  6. Copy the following PowerShell script, which uses the Get-WmiObject call to measure the average ReadOperationCount for the lsass.exe process, into the Script Body field:
    $avg = Get-WmiObject win32_process -ComputerName '${IP}' -Credential '${CREDENTIAL}' | Where-Object {$_.Name -eq "lsass.exe" } | Measure-Object -property ReadOperationCount -Average; Write-Host 'Statistic: ' $avg.Averageexit(0)

    The PowerShell code does the following:

    1. Reads the average ReadOperationCount information for the process lsass.exe from the computer whose IP address is specified by the variable ${IP} using the credential specified by the variable ${CREDENTIAL}.

      The user name from the Credential for Monitoring that is specified is stored automatically in the ${CREDENTIAL} variable by the monitor. Therefore the ${CREDENTIAL} variable should not be placed in the Script Arguments field, since it is set automatically. When the script is run by PowerShell, since no password has been provided, it prompts for a password and the password from the Credential for Monitoring that is specified is provided automatically by the Windows Powershell monitor.

    2. Writes the statistic information gathered by the script.
    3. Exits the script.

      The script does not perform error checking.

  7. Enter the following Script Arguments:

    Use the token ${IP} and the IP address will be filled in with the IP address of the target node. You can then access the value in the script body using the variable ${IP}.

    For example, if you type the following for Script Arguments: ${IP}

    The PowerShell script will be able to access the IP address for the target node using the variable ${IP} in the script body.

  8. Select Run the script under specified account to enable impersonation with the component's credentials. (This works only in local script execution mode.)
  9. Select Count Statistic as Difference to change the statistic to be the difference in query values between polling cycles.
  10. Change the Statistic Warning Threshold to, greater than 800.
  11. Change the Statistic Critical Threshold to, greater than 1000.
  12. Click Set test node. Browse the tree view, select the desired target node for the PowerShell script, and then click Select.
  13. Click Test, and then click Submit.
  14. Click All in the Select tag to filter by list, and then locate the Lsass.exe PowerShell Monitor.
  15. Select Lsass.exe PowerShell Monitor and then click Assign to Node.
  16. Expand the tree view and select the target node, and then click Next.
  17. Select Inherit credentials from template, and then click Test to confirm the credentials and component monitor against the test node.
  18. Click Assign Application Monitors and then click Done.

Troubleshooting the Lsass.exe PowerShell Monitor

Verify that you are entering the user name and password of an administrator-level account. If you think you have entered an incorrect credential, correct the mistake and then retest.

Make sure that the RPC server is available and that the Windows PowerShell execution policy is not set to Restricted (the default setting). You can check the execution policy by entering the following command at the PowerShell command prompt: Get-ExecutionPolicy

If you are having trouble using the Windows PowerShell Monitor, see the following KB article for some useful tips:

https://support.solarwinds.com/success_center/Server_%26_Application_Monitor_(SAM)/Problems_using_the_Orion_APM_Windows_PowerShell_Monitor