The problem: we can’t stop "NT Kernel Logger" and we aren’t able to save data collected by Windows Performance Recorder; it generates "The system collector properties does not match with the internal state." error message when you attempt to save data.
I have confirmed this problem on multiple corporate machines featuring Windows 7 SP1 x64 with McAfee Agent 22.214.171.1248, McAfee Endpoint Security 10.5, McAfee DLP 10.0.250.92. For the record, we were able to use Windows Performance Recorder successfully in the past on the same machines, then something changed and broke the functionality. One of the changes was: a new version of McAfee was deployed to our machines.
See this thread for more info about the steps to recreate and observed results, along with call stacks. I suspect McAfee is responsible for this behavior by restarting "NT Kernel logger" as WPR is starting its capture, which later causes WPR report the mismatch error.
Is anyone else experiencing this problem?
Am I on the right track?
Unfortunately, I'm not able to stop, disable, uninstall or otherwise remove McAfee from the equation on target machine, as a troubleshooting step.
Yes i was just taking a closer LOOK since we had the Version 5.X (Version from 2014) of the Performance Monitor in USE a few Years before and now we wanted to use it to DEBUG Performance of ENS 10.5.1 and 10.5.2.
Well thats nice we want to DIAGNOISE Mcafee Performance wiht a third party MS tool and Mcafee prevents us?
ENS 10.5.1 HF2 (Some 10.5.2) > machine we see the error 10.5.2 (RTS)
Any info welcome
Are you using the correct version of WPR?
I'm using Windows Performance Toolkit 8.1. It shows up in the Add Remove Programs as version 8.100.25984. The modules are part of 6.3.9600.16384 build.
I must add that WPT instances worked flawlessly on our machines for many years until new McAfee package was pushed from corporate.
Well, this is interesting. I’ve re-downloaded 8.1 ADK and WPTx64-x86_en-us.msi was identical to the one I used years ago. Then I noticed WPT patch in the distribution: \Patches\8.100.26866\WPTx64-x86_en-us.msp. I applied it, which upgraded my environment to WPTx64 version 8.100.26837. The patch deployed a few modules from 6.3.9600.17* builds.
Initial testing shows promising results. I no longer get the error message while stopping and saving data. I’ll test it on a few additional machines with McAfee and will report the outcome.
Thanks for the tip, wouterr!
I've tested on few other machines and confirmed that applying \Patches\8.100.26866\WPTx64-x86_en-us.msp patch from the latest 8.1 ADK resolved the issue I reported.