-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathCPUIntensiveApps_LastHour
33 lines (33 loc) · 1.23 KB
/
CPUIntensiveApps_LastHour
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
ITPC_CTX_Process_CL
| where TimeGenerated > ago(1h)
| where UserName_s !=""
| summarize AggregatedValue = avg(PercentProcessorTime_d) by TimeInterval = format_datetime(bin(TimeGenerated - 7h, 1h), 'M/d/yyyy HH tt'), UserName_s, Worker_s, Name_s
| sort by AggregatedValue desc
//exclude common Apps
| where Name_s != "dwm.exe"
and Name_s != "winlogon.exe"
and Name_s != "SettingSyncHost.exe"
and Name_s != "smartscreen.exe"
and Name_s != "backgroundTaskHost.exe"
and Name_s != "LogonUI.exe"
and Name_s != "rdpclip.exe"
and Name_s != "csrss.exe"
and Name_s != "RuntimeBroker.exe"
and Name_s != "dcagenttrayicon.exe"
and Name_s != "fontdrvhost.exe"
and Name_s != "explorer.exe"
and Name_s != "svchost.exe"
and Name_s != "SearchUI.exe"
and Name_s != "OneDrive.exe"
and Name_s != "taskhostw.exe"
and Name_s != "sihost.exe"
and Name_s != "ctfmon.exe"
and Name_s != "ShellExperienceHost.exe"
and Name_s != "rdpinput.exe"
and Name_s != "TabTip.exe"
and Name_s != "TabTip32.exe"
and Name_s != "dllhost.exe"
and Name_s != "rundll32.exe"
and Name_s != "StartMenuExperienceHost.exe"
and Name_s != "WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe"
| project TimeInterval, User = UserName_s, Application = Name_s, Host = Worker_s, CPU_Used = AggregatedValue