I installed a Windows universal forwarder on version 5.* 2 years ago, and upgraded it to 6.1.* recently.
Comparing the old upgraded UF versus a fresh install, I noticed that the old one was using much more resources (cpu/memory) to collect the Windows logs (perfmon, wineventlogs ...)
It seems that the only difference is the version of the Splunk Add-on for Microsoft Windows that was installed by the MSI installer.
I am not using a deployment server. Does it mean that the upgrade of Splunk does not upgrade the Windows TA?
That is correct, upgrade does not install the latest version of Splunk_TA_windows, only new installs do. I have seen cases like yours and upgrading Splunk_TA to the latest version has resolve issues with High CPU/Mem. To find out what version you are on go to the etc/apps/splunk_TA_Windows/default/app.conf and look at the build.
ex 4.6.3 = build 172675
4.7.1 = build 226229
latest 4.7.3 = build 237290
That is correct, upgrade does not install the latest version of Splunk_TA_windows, only new installs do. I have seen cases like yours and upgrading Splunk_TA to the latest version has resolve issues with High CPU/Mem. To find out what version you are on go to the etc/apps/splunk_TA_Windows/default/app.conf and look at the build.
ex 4.6.3 = build 172675
4.7.1 = build 226229
latest 4.7.3 = build 237290
Installing the latest windows TA solved the performance problem.