Startup/Login Condition Expression Syntax

Owned by Yüksel Aydemir (Unlicensed)
Last updated: Nov 29, 2019Version comment
6 min read

The startup and login timing conditions are configured using condition expressions.

You can only do this if you're a PerformanceGuard administrator.

Conditions are used for the following agent configuration parameters:

  • StartupCondition controls when the computer startup measurement ends
  • LoginStartCondition controls when the user login measurement starts
  • LoginEndCondition controls when the user login measurement ends

Timing of computer startup is controlled by measuring the time between the moment when the first parts of the operating system start and the moment when the expression StartupCondition becomes true.
The login time is the period between the moment when the LoginStartCondition becomes true until the moment when LoginEndCondition becomes true.
A condition expression consists of condition terms combined with logical operators. Supported logical operators are:

  • and
  • or
  • not

You can use parenthesis (...) to control the order of evaluation.
The following types of condition terms are available:

  • Winversion
  • Process
  • Service
  • Session

Condition terms are not case sensitive.
Condition terms are enclosed in brackets <...>.

Example:

( (<Winversion; WIN7> or <WINVERSION; WIN2008R2>) and <PROCESS; wdm; started>) or ( (<WINVERSION; VISTA> or <WINVERSION; WIN2008>) and <PROCESS; explorer; started> )

  
This expression becomes true when wdm.exe starts on a Windows 7 or on Windows Server 2008 R2, but on Windows Vista or on Windows 2008 it becomes true when the explorer process starts.


Condition Term Overview

Condition Term

 Comment

 

 

Comment

Example

Winversion






Winversion

VISTA                      

 

 

Operating system version check

<WINVERSION; VISTA>

-

WIN7

 

 

 

<WINVERSION; WIN7>

-

WIN8

 

 

 

<WINVERSION; WIN8>

-

WIN2003

 

 

 

<WINVERSION; WIN2003>

-

WIN2008

 

 

 

<WINVERSION; WIN2008>

-

WIN2008R2

 

 

 

<WINVERSION; WIN2008R2>

-

WIN2012

 

 

 

<WINVERSION; WIN2012>

Process






Process

<process name>

started

 

 

<PROCESS; winlogon; started>

-

stopped

 

 

<PROCESS; init.exe; stopped>

MEM / CPU / IO






CPU

<process name>

above

<value>

Process CPU usage less than value in percent

<CPU; dwm; above; 10>

-

-

below

<value>

 

<CPU; dwm; below 3>

MEM

<process name>

above

<value>

Memory usage for the process less than value in KBytes

<MEM; csrss; above; 200000>

-

-

below

<value>

 

<MEM; csrss; below; 200000>

IO

<process name>

above

<value>

Checks against a combined read/write IO average rate

<IO; system; above; 1500>

-

-

below

<value>

 

<IO; system; below; 1500>

Service






Service

<process name>

started

<service name>


 <SERVICE; [executable]; STARTED; [service name]>

Example: <SERVICE; svchost; STARTED; EventSystem>

Session






Session

Logon

 

 

 

<SESSION; Logon>

-

Connect

 

 

 

<SESSION; Connect>

-

Lock

 

 

 

<Session; Lock>


When specified <process name>s are compared to running processes, extensions are removed and comparison is case-insensitive. This means that it's optional whether you want to specify, for example, the .exe extension.


Winversion Condition Terms


Winversion terms are used to make a single condition behave differently depending on the operating system on the target computer. This way you can deploy a single condition expression throughout an entire organization, even if different Windows versions are used.
The term is always true on a computer that runs the specified Windows version.


Process, CPU, MEM and IO Condition Terms


The process condition terms take a number of different forms. You can use a term may be used to check if a named process has been started or stopped, or you can use it to check the CPU, memory or I/O usage of a named process
If multiple instances of the specified process are running, the term will be attached to all instances. For example, <CPU, svchost; above; 10> will become true if any of the running instances use more than 10% CPU.


Service Condition Terms


The service condition term is used to check if a particular service is running.
The term <SERVICE; svchost; STARTED; EventSystem> becomes true when the EventService service is registered as started with the Service Control Manager within svchost. Note that the names of services may be different depending on the locale of the operating system. The name that you supply for the service is checked by comparing it with the service names registered for the given process. If the specified name appears as part of the name, the term evaluates to true. If you specify TCP as the service name, it will match any service that contains TCP in its name.


Session Condition Terms


The session condition terms change values when user sessions change state, that is when users log in or log out, or when they connect to or disconnect from a session. When sessions are locked or unlocked, sessions also change state. Session condition terms that become true when a user logs in are:

  • <SESSION; connect>: A session was connected to the console terminal.
  • <SESSION; logon>: A user has logged in to the session.
  • <SESSION; lock>: A session has been locked.


Label Expressions


When specifying expressions for the login start and stop expressions, PerformanceGuard will by default generate labeled values. This is used to ensure that PerformanceGuard is able to handle asynchronous logins correctly. Multiple asynchronous logins can be an issue on multi-user Windows computers, typically servers running as application servers or XenServers (Citrix).
Expression labeling is supported for the session, process and CPU, MEM and IO conditions.

If required, you can disable labeling for a term by appending [-].


Examples:

  1. <SESSION; connect\[-\]>
  2. <SESSION; logon\[-\]>
  3. <SESSION; lock\[-\]>
  4. <PROCESS; guardagent\[-\]; started>
  5. <PROCESS; winlogon\[-\]; stopped>
  6. <CPU; guardagent\[-\]; above; 10>
  7. <MEM; explorer\[-\]; above; 10>
  8. <IO; explorer\[-\]; below; 10>

When labeled expressions are used, PerformanceGuard will be able to distinguish between events generated by different users, and match labels in the start and end conditions correctly. It's perfectly fine to mix labeled and unlabeled expressions. In such cases an unlabeled expression will be treated as if it was generated simultaneously by all possible labels.


BNF for Temporal Condition Terms


condition-term          ::= metric-condition | process-condition | version-condition | service-condition
metric-condition        ::= '<' metric    ';' process ';' operatorspec '>'
process-condition       ::= '<' 'PROCESS' ';' process ';' operatorp '>'
service-condition       ::= '<' 'SERVICE' ';' process ';' 'started' ';' service-name '>'
session-condition       ::= '<' 'SESSION' ';' session-con-event  [-'] '>'
version-condition       ::= '<' 'WINVERSION' ';' versionid '>'
operatorspec            ::= complexop
complexop               ::= operatorc ';' threshold 
metric                  ::= 'CPU' | 'MEM' | 'IO' 
versionid               ::= 'vista' | 'xp' | 'win2003' | 'win2008' | 'win2008R2' | 'win7'
operatorp               ::= 'started' | 'stopped'
operatorc               ::= 'below' | 'above'            
threshold               ::= integer ['%']
session-con-event       ::= 'connect' | 'disconnect'
session-con-location    ::= 'console' | 'remote'
session-log-event       ::= 'logon' | 'logoff' | 'lock' | 'unlock'
process                 ::= identifier [ '[-]'] 
service-name            ::= identifier
identifier              ::= alfa [alfa-digit]*
alfa                    ::= 'a' |'b' ... 'z' | 'A' | 'B' ... 'Z' | '_' | '.' | '-'
alfa-digit              ::= alfa | digit
integer                 ::= [digit]+
float                   ::= [digit]+ '.' [digit]*
digit                   ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9'

Search this documentation

On this page

In this section