-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[virtual tables] Build cpu_time
table for Windows
#8040
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need to move the spec file to have this work on windows.
Good callout about the units. I'm not really sure what we should be doing here. Merits thought.
data.GetLongLong("PercentUserTime", percent); | ||
// Hundredths of a second, percent / 100 * uptime * 100 | ||
r["user"] = BIGINT(percent * uptime); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm. I think this is going to be weird. We already see some issues around uptime
not behaving as expected, and I think the lack of precision in percent is going to make this jump around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the help! I've moved the spec file.
I'm still looking for a better source of uptime or specific times in windows, and yeah, I think the precision is a real problem - elapsed time given by wmi is in seconds as int, and the percentages are also integers. (It probably didn't make sense to use 0.01 sec as the unit.)
In case it doesn't work out, do you think it's a good idea to provide the percents instead, maybe in a new table just for windows?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you move or add a spec file (any file that contributes in the build really), you also have to modify the respective CMakeLists.txt.
In this case https://github.com/osquery/osquery/blob/master/specs/CMakeLists.txt; you would have to move the file from the platform_dependent to the independent one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the guidance!
Using percentage to calculate the time is really not a good idea. I haven't found any other source of cpu time data in Windows but I'll keep looking. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yux-m I just realized that there's some confusion here, the cpu_time
table is meant to provide the CPU time for each CPU and core, not for every process. The WMI class you are accessing lists the CPU usage and other statistics for each process.
My mistake. I used the wrong table for uptime. I'll look for the right table (if there is) or a substitute. |
Haven't got too much luck on finding an equivalent data source of Windows. |
I'm a bit torn between adding columns for percentages, and just presenting that. (And maybe calculating it for the other platforms) vs taking the imprecision. Neither feels good |
cpu_time
table for Windows
Resolves #4382.
The unit of time in this implementation is hundredths of a second, which is consistent with the linux implementation. However, I wonder if millisecond is more intuitive and if it is required to keep this consistent across operating systems. Currently linux's version uses clock ticks (~0.01sec) and mac's uses microseconds (1e-6sec).