Windows default checks and policies

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 14 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Windows Default Checks and Policies

    The Agent Client Collector in ServiceNow offers a suite of default checks and policies specifically designed for monitoring the health of Windows operating systems. This enables customers to effectively track and manage system performance, event logs, and resource usage, ensuring the operational integrity of their IT infrastructure.

    Show full answer Show less

    Key Features

    • Windows Event Monitoring: Monitors event logs and triggers alerts based on specified thresholds (CRITICAL, WARNING, OK) for event counts and severity levels.
    • System Resource Checks: Evaluates CPU load, memory usage, disk space, and process status against defined thresholds, providing alerts for resource-related issues.
    • File and User Account Monitoring: Checks file updates, verifies user account statuses, and inspects system patch installations.
    • Environmental Variables Verification: Validates environment variables against specified regular expressions, ensuring compliance with expected configurations.

    Key Outcomes

    By utilizing these checks, ServiceNow customers can:

    • Proactively identify and respond to potential issues in Windows systems before they escalate into critical problems.
    • Ensure system resources are optimally utilized, maintaining performance and availability.
    • Streamline compliance and configuration management by monitoring system patches and environmental variables.
    • Improve operational efficiency through automation of health checks and alerting mechanisms.

    This comprehensive monitoring framework supports enhanced visibility and control over Windows environments, essential for maintaining robust IT operations.

    Agent Client Collector provides the following default checks and policies for Windows health monitoring.

    Windows event monitoring checks

    Table 1. Windows OS Events policy
    Check Description Usage and Example Output
    os.windows.check-event-log Measures the Windows event log against parameter thresholds and returns a CRITICAL\WARNING\OK event.
    Usage:
    • -w warning - Triggers a WARNING event if the event log count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the event log count matching the pattern is above the CRITICAL parameter value specified in the check parameter.
    • -e event level - Specifies the severity level of the event. Possible values: Information, Verbose, Critical, Warning, Error.
    • -i - Unique event ID
    • -d - The duration of time, in hours, in which you want to retrieve events from the Windows event log.

    Usage example: winchecks check-windows-event-log -w 5 -c 10 -e "Information" -l "Application" -d 24

    		 Check Event Log OK: The Event Log that matches the pattern is <matched count>
    os.windows.check-event-log-count Measures the Windows event log against parameter thresholds and returns a CRITICAL\WARNING\OK event.

    Provides information on the number of events that have occurred within a specified duration for a single log file and a single ID. Also indicates the filters to be applied to retrieve events for a specific single-valued windows event level and provider name.

    Retrieving events from multiple log files is not supported. The number of events is provided, without details of each and every event.
    Usage:
    • -w warning - Triggers a WARNING event if the event log count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the event log count matching the pattern is above the CRITICAL parameter value specified in the check parameter.
    • -l log_file - The log file to be monitored. Name of the file is written in double quotation marks.
    • -r regex_pattern - The regex pattern which filters out the description in the event log. Written in double quotation marks.
    • -e event level - Specifies the severity level of the event. Possible values: Information, Verbose, Critical, Warning, Error.
    • -i id - Unique event ID
    • -d duration_hour - The duration of time, in hours, in which you want to retrieve events from the Windows event log. Decimal points can be used; for example, 30 minutes - 0.5.
    • -p provider_name - Source of the event, written in double quotation marks.

    Usage example: winchecks check-windows-event-log -w 5 -c 10 -e "Information" -l "Application" -d 24

    		 Check Event Log OK: The Event Log that matches the pattern is <matched count>
    os.windows.check-event-log-details

    Collects and filters Windows Event logs based on the duration_hour, event_log_level and log_file values.

    Retrieves and filters Windows event logs according to the provided parameters. It returns details about the events with CRITICAL, WARNING, or OK status, based on the specified severity level.
    Usage:
    • -d duration_hour - Duration (in hours) from the current time to filter events (Default: 24).
    • -e event_log_level - Filter the events based on the event level. Possible values are: Information, Verbose, Critical, Warning, Error. Multiple values are comma-separated (Default: Information). For example: Information, Warning
    • -i id - Filters events based on the specified event IDs. For multiple IDs, values are comma-separated and enclosed in double quotation marks. For example: "1257, 1001"
    • -l log_file - Specifies the log file name to filter events. The name of the file is written in double quotation marks. Supports creating custom files and multiple values are comma-separated. (Default: Application). For example: "Application, System"
    • -p provider_name - The name of the event provider, enclosed in double quotation marks.
    • -r regex_pattern - Filters events by matching the event message with the specified pattern. Value must be enclosed in double quotation marks.
    • -s servicenow_event_severity - Creates a servicenow event with the value given in this parameter. Possible values are: Critical, Warning and OK.

    Usage example: winchecks check-windows-event-log-details -d 24 -l Application -e Warning -r "*" -s Warning

    Check Event Log Details WARNING:

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 1704, Message: Security policy in the Group policy objects has been applied successfully., TimeCreated: 10/14/2024 12:09:35 AM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16384, Message: Successfully scheduled Software Protection service for restart at 2124-09-20T06:25:44Z. Reason: Rules Engine, TimeCreated: 10/13/2024 11:25:44 PM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 16394, Message: Offline downlevel migration succeeded., TimeCreated: 10/13/2024 11:24:19 PM.

    Type: Information, Category: Application, Machine: ws19-inc0061393.LOCAL.LAB, Event_ID: 8224, Message: The VSS service is shutting down due to idle timeout., TimeCreated: 10/13/2024 11:51:36 AM.
    os.windows.check-disk-name Takes the storage drive name as input and verifies if the drive is present. Returns a CRITICAL\WARNING\OK value based on the parameter provided.

    winchecks check-windows-disk-name <options>

    -d : Disk name (Default = C)

    Usage example:winchecks check-windows-disk-name -d C

    		 Windows Checks OK: Disk storage C is present.
    os.windows.check-processor-queue-length

    Measures the process queue length against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the processor queue length count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the processor queue length count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-processor-queue-length -w 5 -c 10

    		 Processor Queue Length OK: The Processor Queue length is 0.00
    os.windows.check-system-cpu-load

    Checks CPU Load by using typeperf. Measures the CPU load against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the CPU load count matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the CPU load count matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-cpu-load -w 85 -c 95

    		 CPU Load OK: The total CPU utilization is 26.92%
    os.windows.check-system-disk

    Measures the free physical memory against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the event log percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the event log percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-disk -w 85 -c 95

    		 Disk Usage Check OK: The disk usage is %
    os.windows.check-system-memory-percent

    Collects the RAM usage. Measures the memory usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.

    		 Usage:
    • -w warning - Triggers a WARNING event if the memory use percentage matching the pattern is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the memory use percentage matching the pattern is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-ram -w 85 -c 95

    		 RAM Usage OK: The total memory utilization is 84%
    os.windows.check-system-process

    Query running processes to find running processes that match the given arguments (pattern, name, both pattern and name. At least one must be given). Measures the running processes against configured thresholds and filters, returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -n name - Process executable name to check the process execution.
    • -p pattern - Pattern (sub string) to search for in the command that invoked the process. Produces valid results only if the user running the Agent owns the queried process has view permissions for the queried process.
    • -w warnover - Triggers a WARNING status if the query returns more processes than those specified by the argument.
    • -W warnunder - Triggers a WARNING status if the query returns fewer processes than those specified by the argument.
    • -c critover - Triggers a CRITICAL event if the query returns more processes than those specified by the argument.
    • -C critunder - Triggers a CRITICAL event if the query returns fewer processes than those specified by the argument.

    Usage example: winchecks check-windows-processes -n explorer

    Check Process OK:

    OK Found 1 matching running processes named explorer
    os.windows.check-directory Verifies whether a Windows directory exists.

    Usage: -d --directory Path to the relevant directory; use '\' for separation.

    Usage example: winchecks check-windows-directory -d dir_path

    		 Check Directory OK: The directory 'C:/Users/Public' exists
    os.windows.check-pagefile

    Collects the Pagefile usage and compares it against the WARNING and CRITICAL thresholds.
    Usage:
    • -w warning - Triggers a WARNING event if the Pagefile usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the Pagefile usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-pagefile -w 75 -c 85

    		 Check Windows Page File OK: Page file usage at 31.63%
    os.windows.check-free-physical-memory

    Measures the free physical memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the free physical memory is under the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the free physical memory is under the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-free-physical-memory -w 10 -c 5

    		 Free Physical Memory OK: The Free Physical Memory is 20.25%
    os.windows.check-free-virtual-memory

    Measures the free virtual memory against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -w warning - Triggers a WARNING event if the free virtual memory is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the free virtual memory is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-free-virtual-memory -w 10 -c 5

    		Free Virtual Memory OK: The Free Virtual Memory is 25.66%
    os.windows.check-process-cpu

    Processes CPU usage against configured thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -p processname - Process name to collect CPU usage.
    • -w warning - Triggers a WARNING event if the CPU usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the CPU usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-process-cpu-p acc -c 95 -w 85

    		Check Process CPU OK: Process CPU usage is 0.0000%
    os.windows.check-process-memory

    Processes memory usage against thresholds and returns a CRITICAL\WARNING\OK event according to the thresholds given in the accompanying parameters.
    Usage:
    • -p processname - Process name to collect memory usage.
    • -w warning - Triggers a WARNING event if the process memory usage is above the WARNING parameter value specified in the check parameter.
    • -c critical - Triggers a CRITICAL event if the process memory usage is above the CRITICAL parameter value specified in the check parameter.

    Usage example: winchecks check-windows-process-memory-p acc -c 95 -w 85

    		Check Process Memory OK: Process Memory usage is 0.0149%

    Windows metric monitoring checks

    Table 2. Windows OS Metrics policy
    Check Description Usage and Example Output
    os.windows.check-processor-queue-length Measures the processor queue length.

    Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-processor-queue-length --scheme hostname.proc

    		 win2019-dc-64bit.cpu.queuelength 0.00 1645371109
    os.windows.check-system-cpu-load Collects average CPU load per second.

    Usage: -s scheme - Replaces output's hostname + process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-cpu-load -scheme hostname.proc

    		 win2019-dc-64bit.cpu.loadavgsec 15.07 1645371561
    os.windows.check-system-cpu Collects the CPU core metric.

    Usage: -s , scheme Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-cpu -scheme hostname.proc

    		 win2019-dc-64bit.cpu.cpu0.cores 2 1645371681
    os.windows.check-system-disk-usage
    Collects the following disk usage metrics usage:
    • total in GB
    • usage in GB
    • avail in GB
    • used percentage
    Usage:
    • -i , ignore_mnt: Comma separated list of mount points to ignore (:C)
    • -I, include_mnt: Comma separated list of mount points to include.
    • —scheme, scheme: Replaces output's hostname+process with the given value (example: hostname.process).

    Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

    win2019-dc-64bit.disk_usage.disk_C.total(GB) 99.40 1645371774

    win2019-dc-64bit.disk_usage.disk_C.used(GB) 50.72 1645371774

    win2019-dc-64bit.disk_usage.disk_C.avail(GB) 48.68 1645371774

    win2019-dc-64bit.disk_usage.disk_C.used_percentage 51.02 1645371774
    os.windows.check-system-memory-percent

    Collects RAM percentage usage, Free Physical Memory percentage and Free Virtual Memory percentage.

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-disk-usage-scheme hostname.proc

    win2019-dc-64bit.mem.free_physical_percentage 13.30 1645371856

    win2019-dc-64bit.mem.free_virtual_percentage 13.93 1645371856

    win2019-dc-64bit.ram.usage_percentage 86.07 1645371856
    os.windows.check-system-network Collects the following active network adapter metrics:
    • Total bytes per sec
    • Packets/sec
    • Packets Received per sec
    • Packets Sent per sec
    • Current Bandwidth
    • Bytes Received per sec
    • Packets Received Unicast per sec
    • Packets Received Non-Unicast per sec
    • Packets Received Discarded
    • Packets ReceivedErrors
    • Packets Received Unknown
    • Bytes sent per sec
    • Packets sent unicast per sec
    • Packets sent non-unicast per sec
    • Packets outbound discarded
    • Packets outbound errors
    • Output queue length
    • Offloaded connections
    • TCP Active RSC Connections
    • TCP RSC Coalesced Packets per sec
    • TCP RSC Exceptions per sec
    • TCP RSC Average Packet Size

    Usage: -s scheme: Replaces output's hostname + process with the given value (example: hostname.process)

    Usage name: command: winchecks metric-windows-network --scheme hostname.proc

    win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).<metric name><metric value>Bytes_Total/sec 98742.67 1645372042

    For example: win2019-dc-64bit.system.network.Network_Interface(Intel[R]_82574L_Gigabit_Network_Connection).Bytes_Total/sec 98742.67 1645372042
    os.windows.check-system-uptime Collects system uptime.

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-uptime --scheme hostname.proc

    		 win2019-dc-64bit.system.uptime(sec) 4614142.06 1645372124
    os.windows.check-system-disk Collects the following disk metrics:
    • AvgDiskSecPerRead
    • AvgDiskSecPerWrite
    • DiskReadBytesPerSec
    • DiskWriteBytesPerSec

    Usage:

    • -i, ignore_mnt - Comma separated list of mount points to ignore (:C)
    • -I, include_mnt - Comma separated list of mount points to include.
    • —scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

    Usage example: command: winchecks metric-windows-disk

    win2019-dc-64bit.disk._total.AvgDisksec/Read 0.000000 1645372198

    win2019-dc-64bit.disk._total.AvgDisksec/Write 0.000608 1645372198

    win2019-dc-64bit.disk._total.DiskReadBytes/sec 0.000000 1645372198

    win2019-dc-64bit.disk._total.DiskWriteBytes/sec 34941.692255 1645372198

    win2019-dc-64bit.disk.C.AvgDisksec/Read 0.000000 1645372200

    win2019-dc-64bit.disk.C.AvgDisksec/Write 0.000000 1645372200

    win2019-dc-64bit.disk.C.DiskReadBytes/sec 0.000000 1645372200

    win2019-dc-64bit.disk.C.DiskWriteBytes/sec 0.000000 1645372200
    os.windows.check-system-memory Collects the following disk metrics:
    • FreePhysicalMemory
    • TotalPhysicalMemory
    • FreeVirtualMemory
    • TotalVirtualMemorySize
    • AvailableMemory
    • TotalVisibleMemorySize

    Usage: -s, scheme - Replaces output's hostname+process with the given value (example: hostname.process)

    Usage example: command: winchecks metric-windows-memory --scheme hostname.proc

    win2019-dc-64bit.mem.free_physical(KB) 1175440.00 1645372274

    win2019-dc-64bit.mem.total_physical(KB) 8588898304.00 1645372274

    win2019-dc-64bit.mem.free_virtual(KB) 1747636.00 1645372274

    win2019-dc-64bit.mem.total_virtual(KB) 12263156.00 1645372274

    win2019-dc-64bit.mem.available(KB) 1202032640.00 1645372274

    win2019-dc-64bit.mem.total_visible(KB) 8387596.00 1645372274
    os.windows.check-process-status Collects windows process status with CPU and memory data used by the process.

    Usage:

    • -n, process - Process name to collect status metric.
    • —scheme, scheme - Replaces output's hostname+process with the given value (example: hostname.process).

    win2019-dc-64bit.Process.Status 67 1645372421

    win2019-dc-64bit.Process.CpuPercent 0 1645372421

    win2019-dc-64bit.Process.Memory(KB) 1226444 1645372421

    Windows OS event checks - Extended

    Runs Windows extended checks on operational Windows servers. To run this policy, activate one of the checks and provide a CI filter on the policy's Monitored CIs tab to run these checks on selected CIs.
    Table 3. Windows OS Events - Extended policy
    Check Description Usage Example Output
    os.windows.check-env-variables Checks the environmental variables using a regular expression and returns either a WARNING or OK value.

    If a new system variable is created after agent installation, you must restart the agent. This check can access only those user variables that are associated with the current user (used during agent installation).

    		 winchecks check-windows-env-variables (options)
    • -e , --env Environment variable to be matched.
    • -f , --regex Regular expression pattern to match against the environment variable.
    		 env_variable_name as TEMP

    Verify the value of a specific environment variable. For example, to check the value of the TEMP variable, replace env_variable_name with the desired variable.

    winchecks check-windows-env-variables -e TEMP -f ^[_C:/windows/TEMP_]*$

    Utilize regular expressions (regex) to match variable values. In this example, the regex ^[_C:/windows/TEMP_]*$ checks whether the variable value contains C:\windows\TEMP. Adjust the regex pattern as needed for your specific matching criteria.

    Environment variable PATH matches the regular expression, ^[_C:/windows/TEMP_]*$
    os.windows.check-system-patch Verifies system patch installation. Returns either a WARNING or OK value. winchecks check-windows-system-patch (options)

    -p name of the system patch to be checked

    		 winchecks check-windows-system-patch -p windows_11_patch_1

    Use this parameter to verify if a specific patch (in this case, windows_11_patch_1) is installed. The program executes a command which retrieves installed patches and verifies if the specified patch is present. Adjust the "patch" value according to the patch you want to verify. Adapt this example to your specific use case, replacing placeholders with actual values.

    		 Patch windows_11_patch_1 is installed
    os.windows.check-modules This check verifies whether the list of modules is present. winchecks check-windows-modules (options)

    -m : comma separated list of module names

    		 winchecks check-windows-modules -m ServerManager,SmbShare

    Windows Checks OK: Module is installed: ServerManager

    Module is installed: SmbShare
    os.windows.check-user-account Takes the list of user names as an input and verifies whether the user account is active. Returns a CRITICAL, WARNING, or OK value. winchecks check-windows-user-disabled (options)

    -u : Comma separated List of User Name

    		 winchecks check-windows-user-disabled- u Administrator,Guest

    User Name and Status
    os.windows.check-file-update Takes the file's path and interval as an input and verifies whether file content has been modified. Returns a CRITICAL, WARNING, or OK value.

    Read permissions are required on the monitored file.

    		 winchecks check-windows-file-update (options)
    • -f : File path, Path of the monitored file.
    • -i: Time period by default is 120 seconds.
    		 winchecks check-windows-file-update -f C:\user\fileName -i 120 CheckWindowsFileUpdate OK: File has not been updated in last <time_period> seconds
    os.windows.check-file-hashcode-update Takes the file's path and MD5 hashcode as an input and verifies whether file content has been modified. Returns a CRITICAL, WARNING, or OK value.

    Read permissions are required on the monitored file.

    		 winchecks check-windows-file-hashcode-update (options)
    • -f : File path, Path of the monitored file.
    • -c : Hashcode of the file to compare to in MD5 hashing.
    		 winchecks check-windows-file-hashcode-update -c d41d8cd98f00b204e9800998ecf8427e -f C:\temp\fileName CheckKernelParameter OK: Kernel parameter : {parameter_name} value is as expected.