4

Can someone clarify for me exactly what permissions are required to read from and write to performance counters? I'm not seeing that I need any kind of special permissions to read/write performance counters and that's contrary to most resources I've found.

A training that I took, as well as most resources on the web, indicate that managing performance counters (creating, deleting) requires admin permissions, and reading/writing requires admin or membership in the local Performance Monitor Users group. I've verified the first, but as for reading/writing, I don't seem to have any problems doing this on my Win8.1 machine as a non-admin user. I can read perf counters using perfmon, PowerShell and the .NET API and write to custom perf counters using the .NET API, all as a non-admin.

Has this changed across OS versions? Or perhaps something in my corporate domain policy allows for it?

nlawalker
  • 6,364
  • 6
  • 29
  • 46

1 Answers1

1

Only non-interactive logon sessions require the user to have membership in the Performance Monitor Users or Administrator groups in order to read performance counters.

Note that I am not a Microsoft employee, and I have not found any documentation that provides an authoritative statement of this behavior. I only determined this behavior through my own testing.

Specifically, when logging on with LogonUserEx, if the logon type is LOGON32_LOGON_NETWORK, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_LOGON_BATCH, or LOGON32_LOGON_SERVICE, then membership in one of the previously mentioned groups is required in order to read performance counters. However, if logging on with LOGON32_LOGON_INTERACTIVE or any of the other miscellaneous login types listed in the LogonUserEx documentation, then membership in one of the previously mentioned groups is not required in order to read performance counters.

Additionally, I determined that Vista RTM did enforce this restriction for interactive login sessions, and the current relaxed state for interactive login sessions was introduced in Vista SP1. While there are practically no users running Vista RTM today, this is good context to keep in mind if you read documentation or other advice that may have been written back then (or more recent advice that may have been blindly copied from older advice).

mrok
  • 23
  • 4
  • Confirmed on Windows 10 21H2 with a virtual service account. Adding the account to the _Performance Monitor Users_ group allowed Powershell's `Get-Counter` to work. – tangle Aug 17 '22 at 04:21