3.2.1.2 Accounting Database
The WSRM Protocol maintains information for each process it manages in an accounting database. It SHOULD<18> contain the following information. The "Name" column specifies the name of the AccountingProcessList element (section 2.2.5.4) to which the data corresponds.
|
Name |
Description |
|---|---|
|
CreationSystemTime |
A 64-bit unsigned integer that specifies the time the data was entered into the database. Its lower 32 bits represent the dwLowDateTime field, and its higher 32 bits represent the dwHighDateTime field of the FILETIME structure as specified in [MS-DTYP] section 2.3.3. |
|
CreationTime |
A 64-bit unsigned integer that specifies the creation time of the process. Its lower 32 bits represent the dwLowDateTime field, and its higher 32 bits represent the dwHighDateTime field of the FILETIME structure as specified in [MS-DTYP] section 2.3.3. |
|
DomainName |
The Active Directory domain name of the user who created the process. If the computer is not in an Active Directory domain, the computer's workgroup is stored. |
|
EventType |
A string that specifies the event upon which properties of a process are recorded. The string can be "C", for process creation; "D", for process termination; and "L", for regular logging. |
|
ImageName |
The image name of the process associated with the accounting record. |
|
ImagePath |
The path to the directory where the executable file of the process is located. |
|
KernelModeTime |
The elapsed time, in 100-nanosecond units, that the process has spent in kernel mode. |
|
OtherOperationCount |
The number of input/output (I/O) operations that are neither read nor write operations (for example, a control function). This counter counts all I/O activity generated by the process, including file, network, and device operations. |
|
OtherTransferCount |
The number of bytes transferred in I/O operations that are neither read nor write (for example, a control function), including file, network, and device operations. |
|
PageFaultCount |
The number of page faults. A page fault occurs when a thread refers to a virtual memory page that is not in its working set in main memory and needs to be retrieved from the disk. If the page is being used by another process that shares the page, or if the page is already in main memory but is on the standby list, the page might not be found on the disk. |
|
PageFileUsage |
The current amount of virtual memory, in kilobytes, that this process has reserved for use in paging files. Paging files store pages of memory that are used by the process and that are not contained in other files. Paging files are shared by all processes. The lack of space in paging files can prevent other processes from allocating memory. If there is no paging file, this counter reflects the current amount of virtual memory that the process has reserved for use in physical memory. |
|
ParentProcessId |
The <ProcessId> of the parent process. |
|
PeakPageFileUsage |
The maximum amount of virtual memory, in kilobytes, that this process has reserved for use in paging files. |
|
PeakVirtualSize |
Maximum virtual address space, in bytes, that a process uses at any one time. |
|
PeakWorkingSetSize |
Peak working set size, in bytes, of a process. |
|
PolicyName |
The name of the resource allocation policy (RAP) associated with the accounting data. |
|
PolicySetTime |
A 64-bit unsigned integer that specifies the time that the RAP was set as the current resource policy. Its lower 32 bits represent the dwLowDateTime field, and its higher 32 bits represent the dwHighDateTime field of the FILETIME structure as specified in [MS-DTYP] section 2.3.3. |
|
PrivatePageCount |
The current number of pages allocated that are accessible only to this process. |
|
ProcessCommandLine |
The command used to start the process. This is a string of text written in the command language and passed to the command interpreter for execution. This is usually, but not always, the same as the program path. |
|
ProcessId |
A numerical identifier that uniquely distinguishes a process while it runs. |
|
QuotaNonPagedPoolUsage |
Current nonpaged pool usage for the process, in kilobytes. |
|
QuotaPagedPoolUsage |
Current paged pool usage for the process, in kilobytes. |
|
QuotaPeakNonPagedPoolUsage |
Peak nonpaged pool usage for the process, in kilobytes. |
|
QuotaPeakPagedPoolUsage |
Peak paged pool usage for the process, in kilobytes. |
|
ReadOperationCount |
The number of read I/O operations generated by the process, including file, network, and device operations. |
|
ReadTransferCount |
The number of bytes read in I/O operations, including file, network, and device operations. |
|
ResourceGroupName |
The resource group that was in use when the process started. |
|
SessionId |
The session identifier of the session that owns the process. |
|
ThreadCount |
The number of threads currently active in this process. An instruction is the basic unit of execution in a processor. A thread is the object that executes instructions. Every running process has at least one thread. |
|
UserModeTime |
The elapsed time, in 100-nanosecond units, that the processor has spent in user mode. User mode is a restricted processing mode, designed for applications, environment subsystems, and integral subsystems. The alternative is kernel mode, which is designed for operating system components. Kernel mode allows direct access to hardware and all memory. The operating system switches application threads to kernel mode in order to access operating system services. This value counts the average busy time as a percentage of the sample time. |
|
UserName |
The name of the user who started the process. |
|
VirtualSize |
The current size, in bytes, of the virtual address space the process is using. Use of virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and the process can limit its ability to load libraries. |
|
WorkingSetSize |
The current size, in bytes, of the working set of this process. |
|
WriteOperationCount |
The number of write I/O operations generated by the process, including file, network, and device operations. |
|
WriteTransferCount |
The number of bytes written in write I/O operations generated by a process, including file, network, and device operations. |
The following database fields are not used in the AccountingProcessList element.
|
Name |
Description |
|---|---|
|
ComputerName |
The name of the server where data was collected. |
|
EndTime |
A 64-bit unsigned integer that specifies the time when the process terminated. Its lower 32 bits represent the dwLowDateTime field, and its higher 32 bits represent the dwHighDateTime field of the FILETIME structure as specified in [MS-DTYP] section 2.3.3. |
|
TotalCPU |
A 64-bit unsigned integer value that specifies the length of time, in 100-nanosecond units, that the process has executed in kernel mode or user mode. |
|
ElapsedTime |
A 64-bit unsigned integer value that specifies the length of time, in 100-nanosecond units, that the process has been executing. |
|
GroupId |
A numerical identifier that uniquely identifies a raw accounting data record. |