Performance Monitor (perfmon)

Microsoft

Built-in Windows tool for collecting and graphing detailed performance counters from OS and applications.

Endpoint Analysis Built-in OS GUI Learning Windows

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Preparation

9 Detection & Analysis

10 Containment, Eradication & Recovery

11 Post-Incident Activity

Description

Performance Monitor (perfmon.exe) is the legacy but still powerful Windows tool for collecting performance counters — thousands of OS- and app-level metrics ranging from Processor\\% Processor Time to Network Interface\\Bytes Total/sec and Process\\Working Set. It supports Data Collector Sets that sample continuously and dump to ETL, CSV, or SQL.

For CySA+ it represents baseline-driven detection on Windows: comparing current behaviour against a recorded baseline is one of the original anomaly-detection techniques and still appears in exam scenarios.

Use cases

Establishing performance baselines for golden images
Long-running data collector sets feeding a SIEM
Investigating intermittent slowness that may indicate compromise
Capacity planning input for hardening decisions

Example

:: Launch Performance Monitor
perfmon

:: Start a built-in data collector set from the CLI
logman start "System Diagnostics"