DEX check definitions for Windows
Check definitions for Windows are predetermined sets of rules and criteria that assess the performance, security, and conformance of Windows devices. These checks can cover various aspects such as CPU usage, memory usage, network tests, network bytes, and logged-in users.
To fetch the complete playbook data for a Windows device, the Agent Client Collector (ACC) must run as a local system account. For more details on how to set up the ACC service as a local system account, see Run ACC as a local system account user.
Note:
You can configure the check definitions and associated retrievable data. Some of the listed check definitions might retrieve data that contains or is considered personal information.
Check definitions — Application (Metrics)
DEX offers the following check definitions that are accessible solely when the application is running, except for the os.win.check-app-crash-rate and os.win.check-app-last-access-time
check definitions, which are accessible even when the application isn't running. In the check definition parameters:
- appName = application name. Example, Zoom.
- appSysId= sys_id of the application.
- primaryProcess = list of primary processes for the application separated by a pipe symbol (|). The first process that exists on the endpoint device is given priority. Example 1: chrome.exe. Example 2:
teams.exe|msteams.exe.Note:If the primary process for the Microsoft Teams application in Windows 10 is teams.exe and in Windows 11 it's msteams.exe, then when determining priority based on process availability on the endpoint device, the process that is present on the endpoint device first is given precedence.
- secondaryProcesses = list of secondary processes for the application separated by a pipe symbol (|). Example, cpthost.exe|cptservice.exe.
| Check definition name | Check definition parameters | Description |
|---|---|---|
| os.win.check-app-cpu-usage |
|
Checks the amount of CPU resources being used by the primary process and secondary process of the application. |
| os.win.check-app-memory-usage |
|
Checks the amount of memory being used by the primary process and secondary process of the application. |
| os.win.check-app-last-access-time |
|
Checks the most recent time when the application was executed or run. Note:
|
| os.win.check-app-last-updated |
|
Checks the time and date of the latest application update installation. |
| os.win.check-app-crashes |
|
Retrieves crash rate of the application. This check definition supports applications that emit a Window Error Reporting (WER) events (event id = 1000) on crashing.
Note: This check definition doesn't require the application to be running. |
| os.win.check.app.freezes |
|
Retrieves freeze rate of the application in the last 5 minutes. This check definition supports applications that emit a Window Error Reporting (WER) events (event id = 1001 or 1002) on freezing.
Note: This check definition doesn't require the application to be running. |
| os.win.check-app-uptime |
|
Checks the uptime of the given application. |
| os.win.check-app-incoming-network-bytes |
|
Retrieves the incoming network bytes of an application for IPv4 and IPv6 networks. |
| os.win.check-app-outgoing-network-bytes |
|
Retrieves the outgoing network bytes of an application for IPv4 and IPv6 networks. |
| os.win.check-app-domain-network-details |
|
Retrieves the network latency, packet loss, and jitter for installed application domain. Note: The system uses the Internet Control Message
Protocol (ICMP) to collect network performance metrics, such as latency, jitter, and packet loss. |
| os.win.check-app-domain-network-route-details |
|
Retrieves the complete network route details for application domain. |
| os.win.check-app-sccm | None | Fetches application-specific metrics for the App - Microsoft System Center Configuration Manager. |
| os.win.check-app-zscaler-service-status |
|
Retrieves the Zscaler service status information. |
Check definitions — Device (Metrics)
DEX provides the following types of check definitions for the device.
| Check definition name | Description |
|---|---|
| os.win.check-system-cpu-usage | Checks the current CPU utilization. |
| os.win.check-system-cpu-details | Retrieves the CPU ID, CPU name, number of physical and logical cores, and architecture information. |
| os.win.check-system-memory-usage | Checks the current system memory utilization. |
| os.win.check-system-last-access-time | Checks the last time the current device was accessed. Note: This check definition works on locked and unlocked devices. The first time this check definition runs, the events are captured and an error message
appears as there is no prior
data available. |
| os.win.check-system-uptime | Checks the time elapsed since the last boot of the system. |
| os.win.check-system-disk-io-usage-read | Retrieves disk bytes read per second. |
| os.win.check-system-disk-io-usage-write | Retrieves disk bytes written according to second. |
| os.win.check-system-energy-consumption | Retrieves the energy consumption values for CPU, SoC, display, disk, network, MBB, EMI, other, total, and loss of a Windows device in milliwatt-hours. Note: This check definition isn't compatible with virtual machines
that don't have energy sensors. Unlike other check definitions that retrieve latest data, this check definition retrieves the sum of last 5 minutes of data. |
| os.win.check-system-time | Checks the current time in Coordinated Universal Time (UTC) using UNIX timestamp. |
| os.win.check-system-power-plan | Retrieves the name of the active power plan. |
| os.win.check-system-os-details | Retrieves the name, version, platform, architecture, and installation date of the operating system. |
| os.win.check-system-device-crashes | Retrieves details of different crashes on your device. Note: This check definition supports BSOD that emits system events with event ids = 41,1001. |
| os.win.check-system-device-events | Retrieves the details of events that occurred on the device during the specified time interval. Events for Windows include: last boot and logged-in users. |
| os.win.check-system-disk-usage | Retrieves the disk used space as a percentage of the total space. |
| os.win.check-system-battery-details | Retrieves battery-related data, including the remaining battery percentage, the designed voltage, the estimated run time, and the battery's maximum capacity. Note:
|
| os.win.check-system-network-details | Retrieves the network details, including Ethernet, Wi-Fi, and other relevant information. |
| os.win.check-system-logged-in-users | Checks the login user ID of the users who are currently logged in to the device. |
| os.win.check-system-power-consumption | Retrieves the power consumption of the device in milliwatt. Note: This check definition is exclusively compatible with physical machines and doesn't support virtual machines (VMs). |
| os.win.check-system-admin-users | Retrieves all user accounts with local administrative privileges. |
| os.win.check-system-bsod | Retrieves the count, message, ID, level, and time of Blue Screen of Death (BSOD) occurrences. Note: This check definition supports BSOD that emits system events with event ids = 1001. |
| os.win.check-system-firewall-enabled | Checks if the operating system firewall is active and enabled. |
| os.win.check-system-antimalware-details | Retrieves the details of the anti-malware software on the device. |
| os.win.check-system-reboot-details | Retrieves the reboot duration in seconds and the last reboot timestamp (in UNIX epoch time). Note: The displayed values might not accurately reflect cases where system reboots were interrupted, such as during system
updates, power loss, or manual intervention. |
| os.win.check-system-os-setup-details | Retrieves the approximate OS age for the device. |
| os.win.check-system-network-adapter-details | Retrieves the network adapter details for the device. |
| os.win.check-system-network-connection-profiles | Retrieves the network connection profile details for the device. Note: This check definition retrieves the network type, which can be used to check the vpn status. |
| os.win.check-system-compliance-details | Retrieves the system’s compliance details. This includes the list of all configured apps and metric values that are non-compliant, and calculates a compliance rating based on that. Note:
|
| os.win.check-system-battery-charge-percentage | Retrieves the battery charge percentage on
Windows device. Note: If current capacity is greater
than designed capacity, the battery is rounded off to 100%. |
| os.win.check-system-windows-registry | Retrieves the Windows registry data. |
| os.win.check-system-memory-details | Retrieves the system memory details like and virtual memory details. |
| os.win.check-system-bios-details | Retrieves the System Bios details. |
| os.win.check-system-executables | Fetches all the executables (*.exe) present on Windows machine. |
| os.win.check-system-custom-query-on-change | Execute the custom query provided in the parameters. Runs only if value changes. |
| os.all.check.internal.get-device-configuration-on-change | Gets the configurations of a device. Example: sudo configured, debug on, agent user, and so on. Runs only if value changes. |
| os.win.check-system-boot-details | Gets latest boot details of a device from Windows event log. Note: Boot time is captured only during a full device boot. Windows generates Event ID 100 during a full boot to measure performance. Boot time is not recorded when the device is resumed,
restored, or started through remote or virtual machine operations because Event ID 100 is not generated |
| os.win.check-system-gpu-usage-details | Monitor GPU (Graphics Processing Unit) and VRAM (Video Random Access Memory) usage on the Device page to assess graphics performance and identify bottlenecks. |
Check definitions — Diagnostic Actions
DEX provides the following types of check definitions for Diagnostic actions.
| Check definition name | Check definition parameters | Description |
|---|---|---|
| Diagnostic action | ||
| os.win.check-app-process-ids | --process_name=<process name> | Retrieves the Process IDs (PIDs) of both the parent and all the child processes associated with the application. |
| os.win.check-process-cpu | None | Retrieves a list of all running processes along with their CPU usage percentage, CPU time, Process ID (PID), Parent Process ID (PPID), and name. |
| os.win.check-process-memory | None | Retrieves a list of all running processes along with their memory usage in kilobytes (KB), Process ID (PID), Parent Process ID (PPID), and name. |
| os.win.check-process-disk | None | Retrieves a list of all running processes along with their disk usage in Bytes, Process ID (PID), Parent Process ID (PPID), and name. |
| os.win.check-rssi-value | None | Retrieves the Received Signal Strength Indicator (RSSI) value for the currently connected WiFi interface. RSSI indicates the signal strength between the wireless access point (AP) and the device, with higher RSSI values indicating stronger signal strength. Note: This check definition can't be applied to a virtual machine. |
| os.win.check-services-data | service_type =<Type of service(one of user, system or all) | Retrieves the list of all services with PID, Service Name, Service Display Name, Status, Service Type. |
Check definitions — Remedial Actions
DEX provides the following types of check definitions for Remedial actions.
| Check definition name | Check definition parameters | Description |
|---|---|---|
| os.win.action-kill-process | --pid=<process id> OR --process_name=<list of comma separated executable file names> Note: The process ID takes priority over the application name. |
Terminates a running process or multiple processes specified by their Process ID (PID) or a list of executable (.exe) file names. |
| os.win.action-restart-service | --service_name=<service name> | Restarts logged user services that take a service name as input to the system. |
| os.win.action-flush-dns-cache | None | Flushes DNS cache on a Windows device. |
| os.win.action-clear-browser-cache | --auto_close = <true/false> Note: When auto-close is enabled, while clearing the browser cache, the browser is closed and vice versa. --browsers = <List of comma separated browsers> |
Clears cache of the supported browsers such as Google Chrome,Mozilla Firefox, and Microsoft Edge. Note: Before executing this check definition, save your browser work. |
| os.win.action-clear-app-cache | auto_close = <True/False whether you want the process to be closed before clearing the cache> process_name = <Process name> app_name = <Application name> cache_path = <Path to the cache folder> Note: The cache path is supported for Zoom, Microsoft Outlook, and Microsoft Teams. Cache path should be entered without the path to the user. For example, if the cache is at path C:\User\<UserName>\AppData\Roaming\Zoom\data enter AppData\Roaming\Zoom\data. |
Clears the application cache. |
| os.win.action-network-drive | action: <MAP/DELETE> drive_letter network_path |
Maps
or deletes a network drive
depending on the action input
parameter, which supports the following values:
|
|
os.win.action-restart-application |
process_name = <Process name> app_name = <Application name> |
Restarts the application if it is running. |
| os.win.action-removable-usb-storage-access | access - <deny_read/deny_write/deny_execute> value - <true/false> |
Controls access to removable USB storage disks for read, write, and execute access. Note:
|
| os.win.action-uninstall-application | app_name = <application name> | Uninstall an application. |
| os.win.action-zscaler-zpa-reconnect | None | Resolves Zscaler connectivity issues. |
| os.win.action-restart-one-drive | None | Restarts OneDrive on the end-user's machine. |
| os.win.action-disk-cleanup | None | Clears unwanted files or cache using Windows disk cleanup:
|
| os.win.action-windows-registry-action |
registry_path = <Absolute Windows registry key path> (Complete path of the registry key to be added) registry_data = <Data to be added or modified in a given registry key> Registry_type = <Type of the registry key data> (One of the default provided options) |
Allows the user to create a new Windows registry key or modify an existing one. Users can add new keys, or update the data and value type of existing registry entries as needed. |
| os.win.action-delete-file | file_name_or_path = <File name or path> | Permanently delete the entered file. Entered file should have a valid type extension. |
| os.win.action-clear-google-chrome-browsing-data | remove_web_data = <True/False whether you want to remove the web data> | Removes all the browsing data on Google chrome from all the Google chrome profiles. |
| os.win.action-purge-recycle-bin | None | Purging Recycle Bin will clear all the files in the recycle bin. |
| os.win.action-reset-google-chrome-settings | None | Clears the settings and removes all the installed Google chrome extensions on all the google chrome profiles. |
| os.win.action-toggle-power-plan | power_mode - Balanced, High performance, Power saver | Toggle between different power plans. |
| os.win.action-elevate-temporary-admin |
duration user_id = ID of the user |
Elevates temporary admin access to users for a period of time to perform specific tasks without compromising on security. |
| os.win.action-fix-classic-outlook-data-files | None | Fixes OST / PST data files using SCANPST.EXE in Classic outlook |