Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is the rule behind the Windows System process group?


I would really like to be able to understand the rule behind the scenes for the Windows System process group. I have seen some other postings looking to break certain processes out of this process group (lsass.exe) but just a general understanding of hey we lump these processes because of "X" would be great to be able to communicate with my customers.



Come on....nobody??? I guess i'll submit a support ticket...

DynaMight Guru
DynaMight Guru

Hi Tommy

I think will help you


dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel


Definitely came across that link and while it is very helpful to understand how DT identifies processes and groups them, it doesn't provide the rule behind "What falls into the Windows System Process group".


Hello Tommy,

They probably use the environment variables to assign processes into the Windows System Process group. In the below link it talks about customizing the grouping for Windows services and that is the method they suggest to do so.


David Nicholls


Thanks David, after reading that I was super excited to give it a shot. I'm specifically trying to break out a certain windows service, "Active Directory Domain Services" on our primary domain controller where I have an infrastructure only agent running. I went through the steps and added the variable in the registry and restarted the service but haven't seen anything break out. I do see that this host has a restart that's going to happen tonight so I'll let that happen naturally and see if, since it was a registry change, that perhaps it needed a reboot of the actual host.

I really appreciate the link.



Glad to know it was able to help!


Well, unfortunately from my testing the custom process group detection is not working and the final method that is explained if all else does not work is just not very clear what to do. It would be great if someone else in the community could give it a whirl.

Thanks, Tommy

@Tommy N. did you create a process detection rule for the environment variable you created?

I did but nothing ever showed. I even setup the rule and made the changes just prior to a scheduled reboot of the system so everything, registry wise, should have been fresh.

I need to give this another shot.

Ok, ran through this again with no luck. Added registry entry on secondary domain controller that has lsass.exe running on it(NTDS service). Setup a process group detection rule looking for an environment variable equal to DT_CLUSTER_ID. Restarted the NTDS service. Nothing...

Also added a Process Group Monitoring rule looking for an exe running with name equatl to "lsass.exe". Restarted the process again....nothing.

Hi all, just realized that I might also has to answer customer's question on this later in near future.

Any new idea or discoveries? The way I see it I can only customer based on port number (for example in this screenshot I know 3389 is for RDP)

But then, I am not quite sure this way of looking at the listening port number is a verification approach or identification approach. It most fellow community member also get these ports numbers in their environment then we've got our answer.

Do you need to split the processes on the listening port? This won't be possible as the process detection happens actually before the application even starts and listening sockets are created by the application itself.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner


Windows services, which are run under or started by svchost.exe (which is the case for most infrastructure services) are grouped into a special process group, called Windows System. It is not visible on the main host screen, but you should see it if you click the ‘All processes’ button.

Please note that there are exceptions from the above rule. For some selected processes, like IIS for example, we report them separately. However, it is not currently possible to configure which processes are added to Windows System group.

Dynatrace Advisor
Dynatrace Advisor

To get a more granular breakdown you can enable automatic process snapshots that run based on any of these triggering events or you can run a snapshot manually by selecting ... in the Process Snapshots section on a specific host page.

  • High host CPU usage
  • High host memory usage
  • High packet drop rates
  • High NIC utilization rates
  • High number of NIC errors
  • Process availability events

Process instance snapshotlawrence_cuneaz_1-1677797197438.png 

Featured Posts