Performance Monitoring CHAPTER 21 953 9. Select the Compare menu item and then click the Snap To Compare option. The second window is resized to the same size as the anchor window and is overlaid on top of the anchor window, as shown here. note You can still interact with both Performance Monitor windows individually to change properties; select menu items; and minimize, maximize, or close the windows. Performance Monitor User Rights Performance Monitor user rights are specified as follows: n Administrators Members of this group have local and remote full control. n Performance Log Users Members of this group can access and log performance counter data locally and remotely (create, manipulate, and view logs). n Performance Monitor Users Members of this group can access performance counter data locally and remotely (view logs). note On earlier versions of Windows, Performance Monitor can be used to monitor Windows Vista and later computers with options previously available on earlier versions of Windows but without support for new Windows Vista and later Performance Monitor features. The user of the earlier version of Windows must also be in the local Administra- tors group on the Windows Vista or later computer. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 21 Maintaining Desktop Health 954 Remote Data Collection To enable all remote performance logging and alerting, you must perform the following actions: n Enable the Performance Logs And Alerts firewall exception on the user’s computer. n Add the user to the Event Log Readers group. (This applies only when the user belongs to the Performance Log Users group.) Managing Performance Logs and Event Trace Sessions with Logman Logman.exe creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line. Logman commands include the following: n logman create Creates a counter, trace, configuration data collector, or API n logman query Queries data collector properties n logman start Starts data collection n logman stop Stops data collection n logman delete Deletes an existing data collector n logman update Updates the properties of an existing data collector n logman import Imports a DCS from an XML file n logman export Exports a DCS to an XML file n logman /? Displays help for logman The following usage examples illustrate logman syntax. logman create counter perf_log -c "\Processor(_Total)\% Processor Time" logman create trace trace_log -nb 16 256 -bs 64 -o c:\logfile logman start perf_log logman update perf_log -si 10 -f csv -v mmddhhmm logman update trace_log -p "Windows Kernel Trace" (disk,net) For detailed syntax of logman commands and more examples of usage, see http://technet.microsoft.com/en-us/library/cc753820.aspx. Using Windows PowerShell for Performance Monitoring New in Windows 7 is the capability of using Windows PowerShell for gathering performance data. Three new Windows PowerShell cmdlets provide functionality as follows: n Get-counter Gets real-time performance counter data from local and remote computers n Import-counter Exports PerformanceCounterSampleSet objects as performance counter log (.blg, .csv, .tsv) files n Export-counter Imports performance counter log files and creates objects that represent each counter sample in the log Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Resource Monitor CHAPTER 21 955 For example, the following Windows PowerShell command gets the current “% Processor Time” combined values for all processors on the local computer every 2 seconds until it has 100 values and displays the captured data. PS C:\Users\mallen>Get-counter -Counter "\Processor(_Total)\% Processor Time" -SampleInterval 2 -MaxSamples 100 The following command continuously gets the current “% Processor Time” combined values for all processors on the local computer every second (the default sampling interval) and displays the captured data until you press CTRL+C. PS C:\Users\mallen>Get-counter -Counter "\Processor(_Total)\% Processor Time" –Continuous You can pipe the output of the Get-counter cmdlet into the Export-counter cmdlet. For example, the following command gets the current “% Processor Time” combined values for all processors on the local computer every 2 seconds until it has 100 values and exports the captured data as a performance counter log file named Data1.blg, which is saved in the current directory (here the root folder of user Michael Allen’s user profile). PS C:\Users\mallen>Get-counter "\Processor(*)\% Processor Time" -SampleInterval 2 -MaxSamples 100 | Export-counter -Path $home\data1.blg You can also pipe the output of the Import-counter cmdlet into the Export-counter cmdlet. You might do this, for example, to convert a performance monitor log file from one format to another, such as from .csv to .blg format. MoRe inFo For more information on using Windows PowerShell for performance moni- toring, see the help for the Get-counter, Import-counter, and Export-counter cmdlets in the Windows PowerShell Cmdlet Help Topics at http://technet.microsoft.com/en-us/library /dd347701.aspx. Resource Monitor The Resource Overview screen of the Reliability and Performance Monitor Control Panel item in Windows Vista has become a separate tool in Windows 7 called Resource Monitor (see Figure 21-6). You can open Resource Monitor using any of the following methods: n Type resource in the Start menu search box and click Resource Monitor when Resource Monitor appears in the Programs group. n Type perfmon /res in the Start menu search box or at a command prompt and press Enter. n Open Performance Monitor, right-click on the Monitoring Tools node, and select Resource Monitor. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 21 Maintaining Desktop Health 956 n Select Action Center, View Performance Information, Advanced Tools, Open Resource Monitor. FIGURE 21-6 The Overview tab of Resource Monitor Resource Monitor provides considerably more information in Windows 7 than the Resource Overview screen of the Reliability and Performance Monitor did in Windows Vista. The following sections summarize the information displayed on each tab of Resource Monitor. note Once you configure Resource Monitor to filter and display the information you want, you can save the configuration as an XML file by selecting Save Settings As from the File menu. You can save multiple configurations and then load each configuration as desired to display only the information you want to see. Overview Tab The Overview tab (see Figure 21-6) displays graphs of CPU, disk, and network utilization, and a graph showing the rate of hard memory faults on the computer. These graphs can be resized using the Views button. The Overview tab also displays a summary of CPU, disk, network, and memory usage on the system as follows: n CPU Displays the image name, Process Identifier (PID), description, status, number of threads, current percent of CPU consumption, and average CPU consumption for each process running on the computer. In addition, you can right-click a process and select any of the following options: • End Process • End Process Tree Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Resource Monitor CHAPTER 21 957 • Analyze Wait Chain • Suspend Process • Resume Process • Search Online By selecting the check box for one or more processes, you can filter the information displayed in the Disk, Network, and Memory sections of this tab. n Disk Displays the image name, PID, file name, average number of bytes per second read from the file, average number of bytes per second written to the file, average total number of bytes per second read from and written to the file, priority of I/O transfers, and disk response time in milliseconds for each process accessing the disk subsystem on the computer. n Network Displays the image name, PID, address (IP, NetBIOS, or fully qualified domain name [FQDN]) to which the process is connected, average number of bytes per second sent, average number of bytes per second received, and average number of bytes per second transferred for each process accessing the network subsystem on the computer. n Memory Displays the image name, PID, average number of hard page faults per second, kilobytes of virtual memory reserved by the operating system for the process, kilobytes of virtual memory currently in use by the process, kilobytes of virtual memory currently in use by the process that can be shared with other processes, and kilobytes of virtual memory currently in use by the process that cannot be shared with other processes for all processes on the system. CPU Tab The CPU tab displays graphs of percent total processor usage, percent processor usage used by services, and percent processor usage for each logical or physical CPU on the computer. The CPU tab also displays the following information concerning CPU utilization on the computer: n Processes Displays the image name, PID, description, status, number of threads, current percent of CPU consumption, and average CPU consumption for each process running on the computer. In addition, you can right-click a process and select any of the following options: • End Process • End Process Tree • Analyze Wait Chain • Suspend Process • Resume Process • Search Online Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 21 Maintaining Desktop Health 958 n Services Displays the image name, PID, description, status, service group name, current percent of CPU consumption, and average CPU consumption for each process running on the computer. In addition, you can right-click a process and perform any of the following options: • Start Service • Stop Service • Restart Service • Search Online n Associated Handles By selecting the check box for one or more processes in the Processes section of this tab, you can display the image name, PID, handle type, and handle name for each handle associated with the process. You can also search for the handles associated with a process by typing the name of the process in the Search Handles box. n Associated Modules By selecting the check box for one or more processes in the Processes section of this tab, you can display the image name, PID, module name, module version, and full path to the module file for each module associated with the process. You can also search for the modules associated with a process by typing the name of the process in the Search Modules box. Memory Tab The Memory tab (see Figure 21-7) displays percentage graphs of used physical memory, commit charge, and hard faults per second. The Memory tab also displays the following information concerning memory utilization on the computer: n Processes Displays the image name, PID, average number of hard page faults per second, kilobytes of virtual memory reserved by the operating system for the process, kilobytes of virtual memory currently in use by the process, kilobytes of virtual memory currently in use by the process that can be shared with other processes, and kilobytes of virtual memory currently in use by the process that cannot be shared with other processes for all processes on the system. In addition, you can right-click a pro- cess and select any of the following options: • End Process • End Process Tree • Analyze Wait Chain • Suspend Process • Resume Process • Search Online n Physical Memory Displays a map of how physical memory is being allocated on the computer. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Resource Monitor CHAPTER 21 959 FIGURE 21-7 The Memory tab of Resource Monitor, showing the map of physical memory allocation note Hard page faults are a better indicator of memory starvation than soft page faults. A hard page fault occurs when the referenced memory page is no longer in physical mem- ory and has been paged to the disk. A hard page fault is not an error, but it can indicate that more memory is needed to provide optimal performance. Disk Tab The Disk tab displays a graph of total disk activity on the computer and graphs of disk queue length for each disk on the system. The Disk tab also displays the following information con- cerning disk utilization on the computer: n Processes With Disk Activity Displays the image name, PID, average number of bytes per second read from the file, average number of bytes per second written to the file, and average total number of bytes per second read from and written to the file for each process accessing the disk subsystem on the computer. In addition, you can right-click a process and select any of the following options: • End Process • End Process Tree • Analyze Wait Chain • Suspend Process • Resume Process • Search Online Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 21 Maintaining Desktop Health 960 By selecting the check box for one or more processes in the Processes With Disk Activity section of this tab, you can filter the information displayed in the Disk Activity section of this tab. n Disk Activity Displays the image name, PID, file name, average number of bytes per second read from the file, average number of bytes per second written to the file, average total number of bytes per second read from and written to the file, priority of I/O transfers, and disk response time in milliseconds for each process accessing the disk subsystem on the computer. n Storage Displays the logical drive number, physical disk number, percentage of time the disk is not idle, free megabytes on the physical disk, total megabytes of space on the physical disk, and average disk queue length for each logical drive on the com- puter. Network Tab The Network tab displays graphs of average bytes transferred, number of Transmission Control Protocol (TCP) connections, and total network utilization for each network connection on the computer. The Network tab also displays the following information concerning network utilization on the computer: n Processes with Network Activity Displays the image name, PID, average number of bytes per second sent, average number of bytes per second received, and average number of bytes per second transferred for each process accessing the network sub- system on the computer. In addition, you can right-click a process and select any of the following options: • End Process • End Process Tree • Analyze Wait Chain • Suspend Process • Resume Process • Search Online By selecting the check box for one or more processes in the Processes With Network Activity section of this tab, you can filter the information displayed in the Network Activity section of this tab. n Network Activity Displays the image name, PID, address (IP, NetBIOS, or FQDN) to which the process is connected, average number of bytes per second sent, average number of bytes per second received, and average number of bytes per second trans- ferred for each process accessing the network subsystem on the computer. n TCP Connections Displays the image name, PID, local address and port number, remote address and port number, percentage of packet loss, and round-trip latency in milliseconds for each TCP connection on the computer. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Reliability Monitor CHAPTER 21 961 n Listening Ports Displays the image name, PID, listening IP address, listening port number, network protocol, and firewall port status for each listening port on the computer. Reliability Monitor Reliability Monitor provides a graphical overview of the stability of a computer over time to- gether with detailed information about individual events that may affect the overall stability of the system (see Figure 21-8). Reliability Monitor begins to collect data at the time of system installation. It then presents that data in a chart format that can be used to identify drivers, applications, or hardware that are causing stability issues or reliability problems on the com- puter. You can open Reliability Monitor using any of the following methods: n Type reliability in the Start menu search box and click View Reliability History when it appears in the Programs group. n Type perfmon /rel in the Start menu search box or at a command prompt and press Enter. n Open Performance Monitor, right-click the Monitoring Tools node, and select View System Reliability. FIGURE 21-8 Reliability Monitor Reliability Monitor tracks the following five categories of events: n Application failures n Windows failures Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 21 Maintaining Desktop Health 962 n Miscellaneous failures n Warnings n Information How Reliability Monitor Works Reliability Monitor gathers and processes data using the Reliability Analysis Component (RAC) of Windows 7. Data is automatically collected by the reliability analysis metrics calculation executable (RACAgent.exe), also known as the RACAgent process. The RACAgent analyzes, aggregates, and correlates user disruptions in the operating system, services, and programs and then processes the data into reliability metrics. The RACAgent runs as a hidden scheduled task named RACAgent to collect specific events from the event log. The RACAgent runs once every hour to collect relevant event log data and processes data once every 24 hours, so stability data will not be available immediately after installation. After the data is collected, the RACAgent processes this information using a weighted algorithm. The result of the data processing is a stability index number that can vary on a scale from 0 to 10, with 0 being the least reliable and 10 being the most reliable. The stability index and the results of the event tracing are then displayed in graphical form over time. System reliability information is displayed graphically as data points that represent the reliability index of the system for a specific day or week, depending upon the view selected. The horizontal axis displays the date range and the vertical axis displays the Stability Index number. The chart uses icons (red circles for critical events, yellow triangles for warnings, and blue circles for informational events) to indicate if an event of interest has occurred in one of the major categories on the indicated day or week. You can access the details of an event or failure by clicking the day or week the event occurred and then clicking View Technical Details for the event in the scrolling list box at the bottom. The Stability Index is the primary indicator of system stability over time based on the data that is gathered and processed by Reliability Monitor. The graph indicates the value of the stability index over the time range selected. Reliability Monitor tracks the number of user disruptions per day over a 28-day rolling window of time, with the latest day of the rolling window being the current day. The Stability Index algorithm processes the information and calculates the stability index relative to the current day. Until the Reliability Monitor has collected 28 days of data, the Stability Index is displayed as a dotted line on the graph, indicating that it has not yet established a valid base- line for the measurement. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... EventLog 21 474 89656 The previous system Server 32212 279 77 The server could Server 32212 279 77 The server could 170 7 Jun 17 08:38 shutdown at 4:41:12 PM on ? 1688 Jun 16 16:22 Error not bind to the transport \Dev 1680 Jun 16 16:22 Error not bind to the transport \Dev 1 675 Jun 16 16:16 Error NETLOGON 578 3 The session setup to the Windows NT or Windows 1669 Jun 16 15:43 Error RasSstp 1 CoId= {74 6056B2-... Understanding the Windows Event Architecture Prior to Windows Vista, the Windows Event Log API and ETW were separate components The Windows Event Log API published events in event logs, such as the System and Application event logs, while ETW could be used to start event tracing sessions for detailed troubleshooting of system and application issues Beginning with Windows Vista, the Windows event logs... Event Monitoring in Windows 7 Previously in Windows Vista, event information (that is, event logs and ETW) could be accessed using the following methods: n Using native and managed APIs programmatically n Using the Event Viewer MMC snap-in n Using the Wevtutil.exe command-line tool n Using the Tracerpt.exe command-line tool New in Windows 7 is the additional capability of using Windows PowerShell for... prompt For additional information concerning Wevtutil.exe, see http://technet.microsoft.com/en-us/library/cc732848.aspx Using Windows PowerShell for Event Monitoring New in Windows 7 is the capability of using Windows PowerShell for managing event logs and gathering event information A number of new Windows PowerShell cmdlets provide functionality, as follows: n Clear-EventLog  Deletes all entries from... service entered the 3124 Jun 28 11:41 Information Service Control M 1 073 748860 The Diagnostic System Host service entered the 3123 Jun 28 11: 37 Information Service Control M 1 073 748860 The Microsoft Software Shadow Copy Provider ser To display all critical (“Error”) events in the System log, use the following command PS C: \Windows\ system32> get-eventlog -logname System -entrytype Error Index Time... highlighted in the main MMC pane: n Via the action menu n Via the action pane n Via the shortcut menu for the task Windows Performance Tools Kit The Windows Performance Tools (WPT) Kit contains tools designed for analyzing a wide range of performance problems on Windows 7, Windows Vista, and Windows Server 2008 The types of performance problems that you can troubleshoot using the WPT Kit include application... The session setup to the Windows NT or Windows 1669 Jun 16 15:43 Error RasSstp 1 CoId= {74 6056B2- DA98-451B-BF59-6 371 A598B450}:The 1662 Jun 16 15: 07 Error Server 32212 279 77 The server could not bind to the transport \Dev 1659 Jun 16 15:06 Error RasSstp 1 CoId={40BE02A6- FB36-4FC4-BA 37- 8F996CCEF143}:The 1656 Jun 16 15:06 Error RasSstp 1 CoId={600CDFFC- 90F9-4C85-990F-95F45582ADEE}:The Event Monitoring ... specify the index number for that event in the following command PS C: \Windows\ system32> get-eventlog -logname System -index 1 675 | format-list -property * EventID : 578 3 MachineName : SEA-CLI-49.contoso.com Data : {} Index : 1 675 Category : (0) CategoryNumber : 0 EntryType : Error Message : The session setup to the Windows NT or Windows 2000 Domain Controller \\SEA-DC1.contoso.com for the domain CONTOSO... managing them The Windows 7 version of Task Scheduler is essentially the same as that found in Windows Vista, which improved upon earlier versions of Windows by providing a better user interface, more flexible scheduling, enhanced security, and improved manageability Specifically, the following enhancements to Task Scheduler were introduced in Windows Vista: n User interface improvements  The Windows Vista... Health Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Improvements to Task Scheduler in Windows 7 While the Task Scheduler snap-in is essentially unchanged in Windows 7, there are several significant improvements to task scheduling that have been added in Windows 7 These additional improvements include: n Additional security through task hardening (supported only for tasks running . Open Resource Monitor. FIGURE 21-6 The Overview tab of Resource Monitor Resource Monitor provides considerably more information in Windows 7 than the Resource. http://technet.microsoft.com/en-us/library /dd3 477 01.aspx. Resource Monitor The Resource Overview screen of the Reliability and Performance Monitor Control Panel item in Windows Vista