[comment]: # translation:outdated

[comment]: # ({44f69d14-44f69d14})
# Windows-specific item keys

[comment]: # ({/44f69d14-44f69d14})

[comment]: # ({6d38e491-28a01178})
#### Item keys

The table provides details on the item keys that you can use with Zabbix
Windows agent only.

|Key|<|<|<|<|
|---|-|-|-|-|
|<|Description|Return value|Parameters|Comments|
|eventlog\[name,<regexp>,<severity>,<source>,<eventid>,<maxlines>,<mode>\]|<|<|<|<|
|<|Event log monitoring.|Log|**name** - name of event log<br>**regexp** - regular expression describing the required pattern<br>**severity** - regular expression describing severity<br>This parameter accepts the following values: "*Information*", "*Warning*", "*Error*", "*Critical*", "*Verbose*" (since Zabbix 2.2.0 running on Windows Vista or newer)<br>**source** - regular expression describing source identifier (regular expression is supported since Zabbix 2.2.0)<br>**eventid** - regular expression describing the event identifier(s)<br>**maxlines** - maximum number of new lines per second the agent will send to Zabbix server or proxy. This parameter overrides the value of 'MaxLinesPerSecond' in [zabbix\_agentd.win.conf](/manual/appendix/config/zabbix_agentd_win)<br>**mode** - possible values:<br>*all* (default), *skip* - skip processing of older data (affects only newly created items).|The item must be configured as an [active check](/manual/appendix/items/activepassive#active_checks).<br><br>Examples:<br>=> eventlog\[Application\]<br>=> eventlog\[Security,,"Failure Audit",,\^(529\|680)$\]<br>=> eventlog\[System,,"Warning\|Error"\]<br>=> eventlog\[System,,,,\^1$\]<br>=> eventlog\[System,,,,\@TWOSHORT\] - here a [custom regular expression](/manual/regular_expressions) named `TWOSHORT` is referenced (defined as a *Result is TRUE* type, the expression itself being `^1$\|^70$`).<br><br>*Note* that the agent is unable to send in events from the "Forwarded events" log.<br><br>The `mode` parameter is supported since Zabbix 2.0.0.<br>"Windows Eventing 6.0" is supported since Zabbix 2.2.0.<br><br>Note that selecting a non-Log [type of information](/manual/config/items/item#configuration) for this item will lead to the loss of local timestamp, as well as log severity and source information.<br><br>See also additional information on [log monitoring](/manual/config/items/itemtypes/log_items).|
|net.if.list|<|<|<|<|
|<|Network interface list (includes interface type, status, IPv4 address, description).|Text|<|Supported since Zabbix agent version 1.8.1. Multi-byte interface names supported since Zabbix agent version 1.8.6. Disabled interfaces are not listed.<br><br>Note that enabling/disabling some components may change their ordering in the Windows interface name.<br><br>Some Windows versions (for example, Server 2008) might require the latest updates installed to support non-ASCII characters in interface names.|
|perf\_counter\[counter,<interval>\]|<|<|<|<|
|<|Value of any Windows performance counter.|Integer, float, string or text (depending on the request)|**counter** - path to the counter<br>**interval** - last N seconds for storing the average value.<br>The `interval` must be between 1 and 900 seconds (included) and the default value is 1.|Performance Monitor can be used to obtain list of available counters. Until version 1.6 this parameter will return correct value only for counters that require just one sample (like \\System\\Threads). It will not work as expected for counters that require more that one sample - like CPU utilisation. Since 1.6, `interval` is used, so the check returns an average value for last "interval" seconds every time.<br><br>See also: [Windows performance counters](/manual/config/items/perfcounters).|
|proc\_info\[process,<attribute>,<type>\]|<|<|<|<|
|<|Various information about specific process(es).|Float|**process** - process name<br>**attribute** - requested process attribute<br>**type** - representation type (meaningful when more than one process with the same name exists)|The following `attributes` are supported:<br>*vmsize* (default) - size of process virtual memory in Kbytes<br>*wkset* - size of process working set (amount of physical memory used by process) in Kbytes<br>*pf* - number of page faults<br>*ktime* - process kernel time in milliseconds<br>*utime* - process user time in milliseconds<br>*io\_read\_b* - number of bytes read by process during I/O operations<br>*io\_read\_op* - number of read operation performed by process<br>*io\_write\_b* - number of bytes written by process during I/O operations<br>*io\_write\_op* - number of write operation performed by process<br>*io\_other\_b* - number of bytes transferred by process during operations other than read and write operations<br>*io\_other\_op* - number of I/O operations performed by process, other than read and write operations<br>*gdiobj* - number of GDI objects used by process<br>*userobj* - number of USER objects used by process<br><br>Valid `types` are:<br>*avg* (default) - average value for all processes named <process><br>*min* - minimum value among all processes named <process><br>*max* - maximum value among all processes named <process><br>*sum* - sum of values for all processes named <process><br><br>Examples:<br>=> proc\_info\[iexplore.exe,wkset,sum\] - to get the amount of physical memory taken by all Internet Explorer processes<br>=> proc\_info\[iexplore.exe,pf,avg\] - to get the average number of page faults for Internet Explorer processes<br><br>Note that on a 64-bit system, a 64-bit Zabbix agent is required for this item to work correctly.<br><br>Note: *io\_\**, *gdiobj* and *userobj* attributes are available only on Windows 2000 and later versions of Windows, not on Windows NT 4.0.|
|service.discovery|<|<|<|<|
|<|List of Windows services. Used for [low-level discovery](/manual/discovery/low_level_discovery#discovery_of_windows_services).|JSON object|<|Supported since Zabbix agent version 3.0.|
|service.info\[service,<param>\]|<|<|<|<|
|<|Information about a service.|Integer - with `param` as *state*, *startup*<br><br>String - with `param` as *displayname*, *path*, *user*<br><br>Text - with `param` as *description*<br><br>Specifically for *state*:<br>0 - running,<br>1 - paused,<br>2 - start pending,<br>3 - pause pending,<br>4 - continue pending,<br>5 - stop pending,<br>6 - stopped,<br>7 - unknown,<br>255 - no such service<br><br>Specifically for *startup*:<br>0 - automatic,<br>1 - automatic delayed,<br>2 - manual,<br>3 - disabled,<br>4 - unknown,<br>5 - automatic trigger start,<br>6 - automatic delayed trigger start,<br>7 - manual trigger start|**service** - a real service name or its display name as seen in MMC Services snap-in<br>**param** - *state* (default), *displayname*, *path*, *user*, *startup* or *description*|Examples:<br>=> service.info\[SNMPTRAP\] - state of the SNMPTRAP service<br>=> service.info\[SNMP Trap\] - state of the same service, but with display name specified<br>=> service.info\[EventLog,startup\] - startup type of the EventLog service<br><br>Items service.info\[service,state\] and service.info\[service\] will return the same information.<br><br>Note that only with `param` as *state* this item returns a value for non-existing services (255).<br><br>This item is supported since Zabbix 3.0.0. It should be used instead of the deprecated service\_state\[service\] item.|
|services\[<type>,<state>,<exclude>\]|<|<|<|<|
|<|Listing of services.|0 - if empty<br><br>Text - list of services separated by a newline|**type** - *all* (default), *automatic*, *manual* or *disabled*<br>**state** - *all* (default), *stopped*, *started*, *start\_pending*, *stop\_pending*, *running*, *continue\_pending*, *pause\_pending* or *paused*<br>**exclude** - services to exclude from the result. Excluded services should be listed in double quotes, separated by comma, without spaces.|Examples:<br>=> services\[,started\] - list of started services<br>=> services\[automatic, stopped\] - list of stopped services, that should be run<br>=> services\[automatic, stopped, "service1,service2,service3"\] - list of stopped services, that should be run, excluding services with names service1, service2 and service3<br><br>The `exclude` parameter is supported since Zabbix 1.8.1.|
|wmi.get\[<namespace>,<query>\]|<|<|<|<|
|<|Execute WMI query and return the first selected object.|Integer, float, string or text (depending on the request)|**namespace** - WMI namespace<br>**query** - WMI query returning a single object<br>|Example:<br>=> wmi.get\[root\\cimv2,select status from Win32\_DiskDrive where Name like '%PHYSICALDRIVE0%'\] - returns the status of the first physical disk.<br><br>This key is supported since Zabbix 2.2.0.|
|vm.vmemory.size\[<type>\]|<|<|<|<|
|<|Virtual space size in bytes or in percentage from total.|Integer - for bytes<br><br>Float - for percentage|**type** - possible values:<br>*available* (available virtual memory), *pavailable* (available virtual memory, in percent), *pused* (used virtual memory, in percent), *total* (total virtual memory, default), *used* (used virtual memory)|Example:<br>=> vm.vmemory.size\[pavailable\] → available virtual memory, in percentage<br><br>Monitoring of virtual memory statistics is based on:<br>The maximum amount of memory Zabbix agent can commit.<br>The current committed memory limit for the system or Zabbix agent, whichever is smaller.<br><br>This key is supported since Zabbix 3.0.7 and 3.2.3.|

[comment]: # ({/6d38e491-28a01178})

[comment]: # ({12f32694-12f32694})
#### Monitoring Windows services

This tutorial provides step-by-step instructions for setting up the
monitoring of Windows services. It is assumed that Zabbix server and
agent are configured and operational.

[comment]: # ({/12f32694-12f32694})

[comment]: # ({110cbb70-110cbb70})
##### Step 1

Get the service name.

You can get that name by going to MMC Services snap-in and bringing up
the properties of the service. In the General tab you should see a field
called 'Service name'. The value that follows is the name you will use
when setting up an item for monitoring.

For example, if you wanted to monitor the "workstation" service then
your service might be: **lanmanworkstation**.

[comment]: # ({/110cbb70-110cbb70})

[comment]: # ({d5dd9159-d5dd9159})
##### Step 2

[Configure an item](/manual/config/items/item) for monitoring the
service.

The item service.info\[service,<param>\] retrieves the information
about a particular service. Depending on the information you need,
specify the *param* option which accepts the following values:
*displayname*, *state*, *path*, *user*, *startup* or *description*. The
default value is *state* if *param* is not specified
(service.info\[service\]).

The type of return value depends on chosen *param*: integer for *state*
and *startup*; character string for *displayname*, *path* and *user*;
text for *description*.

Example:

-   *Key*: service.info\[lanmanworkstation\]
-   *Type of information*: Numeric (unsigned)
-   *Show value*: select the *Windows service state* value mapping

Two value maps are available *Windows service state* and *Windows
service startup type* to map a numerical value to a text representation
in the Frontend.

[comment]: # ({/d5dd9159-d5dd9159})

[comment]: # ({4db55d8f-4db55d8f})
#### Discovery of Windows services

[Low-level discovery](/manual/discovery/low_level_discovery) provides a
way to automatically create items, triggers, and graphs for different
entities on a computer. Zabbix can automatically start monitoring
Windows services on your machine, without the need to know the exact
name of a service or create items for each service manually. A filter
can be used to generate real items, triggers, and graphs only for
services of interest.

[comment]: # ({/4db55d8f-4db55d8f})