Reporting of GDI object consumption per app

2 comments

• 
  Dominik Britz June 04, 2020 07:43 Official comment

  Wayne saw a high amount of GDI objects used under certain circumstances. While monitoring of GDI objects is not part of uberAgent's default data set, I created a script that one can run with uberAgent's custom script functionality.
  
  

  $sig = @'
  [DllImport("User32.dll")]
  public static extern int GetGuiResources(IntPtr hProcess, int uiFlags);
  '@
   
  Add-Type -MemberDefinition $sig -name NativeMethods -namespace Win32
   
  $processes = [System.Diagnostics.Process]::GetProcesses()
  
  $Output = @{}
  $MinimumGDIObjects = 1
  
  ForEach ($p in $processes)
  {
      try{
          $gdiHandles = [Win32.NativeMethods]::GetGuiResources($p.Handle, 0)
          If ($gdiHandles -ge $MinimumGDIObjects)
          {
              $Output += @{"$($p.Name)" = $gdiHandles.ToString()}
          }
      }
      catch {
          # Process probably protected. Do nothing.
      }
  }
  
  Write-Output $($Output.Keys.ForEach({"$_=$($Output.$_)"}) -join ' ')

  The variable $MinimumGDIObjects allows limiting the output to processes with a certain amount of GDI objects to save Splunk data volume.
  
  Create a new timer like the following:

  [Timer]
  Name = GDI objects
  # Run every 5 minutes
  Interval = 300000
  Script = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Get-GDIObjects.ps1"
  # Run this script with system permissions
  ScriptContext = Session0AsSystem

• 0
  
  Dominik Britz May 20, 2020 05:56

  Hi Wayne,

  Unfortunately, uberAgent is not picking up GDI objects. Before I put it on our backlog, could you possibly explain your use case for this?