Our IT department requested to collect ETW data from Defender during MSBuild-driven builds. We have intermittent build failures that are evidently caused by Defender (well, its user mode service) sitting on files with exclusive access. The issue is elusive, a classical Heisenbug. And despite attempts to reproduce this while recording ETW data, I haven't had luck reproducing it after two dozen or so tries.
The instructions state to use New-MpPerformanceRecording -RecordTo <recording.etl> followed by Get-MpPerformanceReport -Path <recording.etl> .... The respective documentation from Microsoft can be found here.
Now my main gripe with the process is that New-MpPerformanceRecording requires to:
- Press ENTER to stop and save recording, or Ctrl+C to cancel recording.
That means I cannot script the performance recordings along with the builds and always need to attend them. It's wasting a lot of time I don't really have to keep coming back to a window to look whether or not already to press ENTER.
Question: How can I automate the process end-to-end? I am acquainted with PowerShell scripting, but how to get around this silly prompt and have it save the data is beyond me. Anything that cancels the capture means I lose the data.
PS: the issue is not about speed ("performance") as such, it's much more about performing at all, because Defender keeps failing our builds. But I get why they would want ETW or trace logging details.