As discussed in Chapter 10 you can use Task Manager to determine the overall utilization of system resources. The Processes and Details tabs in Task Manager provide information about resources being used by running processes. What’s missing from Task Manager, however, is the ability to take a deep look at how processes are using resources, and this deep-look capability is exactly what Resource Monitor provides.

You can start Resource Monitor by selecting the related option on the Tools menu in Server Manager. Alternatively, type Resource Monitor in the Everywhere Search box and press Enter.

When you start Resource Monitor, shown in Figure 11-1, you see that the statistics provided are organized into five general categories:

Each of these categories can be used for comprehensive performance analysis, and in the sections that follow, I show you how.

Figure 11-1. Use Resource Monitor to get detailed information about per-process resource utilization.

Getting an overview of resource utilization

The Overview tab in Resource Monitor, shown in Figure 11-2, provides a detailed overview of resource utilization. Top-level utilization statistics are tracked in the graphs and on the panel bars. In accordance with the legend shown on the panel bars, the values are plotted in either green or blue on the corresponding graph. The statistics tracked include the following:

• % CPU usage

• CPU maximum frequency

• Disk I/O bytes per second

• Disk % highest active time

• Network I/O bytes per second

• % Network utilization

• Memory hard faults per second

• % Physical memory used

Figure 11-2. The Overview tab in Resource Monitor provides an overview of resource utilization.

At first glance, the information provided seems similar to that available in Task Manager. What’s different, however, is that when you select one or more processes on the CPU panel, you see related utilization statistics for the processes on the Disk panel, Network panel, and Memory panel. You also see related activity plotted in orange on the CPU, Disk, Network, and Memory graphs.

Note

The CPU, Disk, Network, and Memory panels show a subset of the information available on the related tabs. Your process selections are applied globally so that you can determine exactly how the selected processes are using CPU, disk, network, and memory resources.

In the example, I selected three processes for tracking: sqlservr.exe, System, and sqlwriter.exe. I chose these processes because I already determined in Task Manager that these were some of the most active processes on the server, and I wanted to determine how these processes were affecting the server. I quickly learned that these processes weren’t affecting the CPU nearly as much as I thought. Although the processor utilization on the server was performing well at about 70 percent, these processes seemed to be using few actual CPU resources. However, they were high consumers of disk and network resources (and, in fact, accounted for nearly all the disk and network activity).

By examining the disk and network activity, I was able to identify exactly which activities were using these resources. Although some of the disk I/O activity was related to SQL Server, the bulk of the activity was related to large data transfers. One data transfer in particular involved a large data set that was being moved from another file server to the server I was analyzing. You can see this in the three entries under Disk and the first entry under Network. Under Disk, a large write is in progress for the C:Shares folder. Under Network, a large data set is being received from another server.

Tracking per-process CPU utilization

The CPU tab in Resource Monitor shows the current CPU utilization and the maximum CPU frequency. If you expand the Processes panel (by tapping or clicking the options button), as shown in Figure 11-3, you see a list of currently running executables. Each process is listed according to the following categories:

• Average CPU. The average percentage of CPU utilization for the process in the last minute

• CPU. The percentage of CPU utilization for the process (across all physical and logical processors)

• Description. The name of the process (and sometimes other information as well)

• Image. The name of the process or executable running the process

• PID. The numeric identifier for the process

• Status. The execution status of the process

• Threads. The number of threads the process is using

Figure 11-3. The CPU tab in Resource Monitor provides detailed per-process information about CPU utilization.

If you press and hold or right-click any column header and then choose Select Columns, you see a dialog box that enables you to add columns to the CPU panel. The additional columns that are available include the following:

• Average Cycle. The average percentage of CPU cycle time for the process (over a 60-second interval).

• Cycle. The current percentage of CPU cycle time the process is using.

• Elevated. The elevation status of the process. An entry of Yes indicates an elevated process.

• Operating System Context. The operating system context in which the process is running, such as Windows Server 2012 R2 or Windows 8.1.

• Platform. The platform on which the process is running, either 32-bit or 64-bit.

• User Name. The name of the user or service that is running the process.

Select one or more processes on the Processes panel to get more detailed information about how those processes are using CPU resources. As you select processes for tracking, keep in mind that your selections are global. The same selections will appear in the other tabs in Resource Monitor.

When you select one or more processes for tracking, you see additional details on these panels:

• Services. Shows the name of the service running a process or processes, along with process identifiers, the status, descriptions of the services, percentage of CPU utilization, and the average percentage of CPU utilization.

• Associated Handles. Shows the names of the handles associated with the selected processes, listed by the executable name of the process, the process identifier, the handle type, and the handle file path.

• Associated Modules. Shows the names of modules loaded by the selected processes, listed by the executable name of the process, the process identifier, the module name, the module version, and the module file path.

Use this information to help you identify which services are running processes and which handles and modules a process is using. No additional details can be added to the Services, Associated Handles, or Associated Modules panels.

TROUBLESHOOTING: Resolve the CPU performance issue

For troubleshooting performance issues related to a server’s processors, you might want to evaluate whether it makes sense to move applications and services from an over-utilized server to another, less-utilized server. You also might want to evaluate whether additional processing power is needed to ensure adequate performance. Faster or additional processors might resolve a performance issue related to high CPU utilization.

Tracking per-process memory utilization

The Memory tab in Resource Monitor shows how processes are using memory, focused primarily on physical memory. As shown in Figure 11-4, the percent utilization of physical memory, the current commit charge, and the hard memory faults are graphed over time. On the Processes panel, individual processes are listed by the following categories:

• Image. The name of the process or executable running the process.

• PID. The numeric identifier for the process.

• Hard Faults/Sec. The average number of hard memory faults per second in the past minute.

• Commit. The commit charge for the process, measured in kilobytes (KB). The commit charge represents the amount of virtual memory the operating system reserves for the process.

• Working Set. The amount of physical memory the process is currently using.

• Shareable. The nonprivate working set for the process, representing the amount of physical memory the process is using that can be shared with other processes.

• Private. The private working set for the process, representing the amount of physical memory the process is using that cannot be shared with other processes.

Figure 11-4. The Memory tab in Resource Monitor provides detailed per-process information about CPU utilization.

On the Physical Memory panel, you see a graph showing the composition of in-use and available memory and related usage statistics. Although the details provided are similar to those provided in the Task Manager Performance tab, they are more precise, and you see specific values listed for the following:

• Available Memory. The unallocated physical memory (which includes the system’s standby memory and free memory).

• Cached Memory. Part of the available physical memory. This memory is used for system caching (and includes the system’s modified memory and standby memory).

• Free Memory. Unallocated memory and part of the available memory. This memory doesn’t contain any valuable data and will be used first whenever more memory is needed.

• Hardware Reserved Memory. Memory reserved for BIOS and some drivers for other peripherals.

• In-Use Memory. Currently allocated physical memory. The size of the paging file is the difference between the current commit charge and the in-use memory.

• Installed Memory. The total amount of physical memory installed on the system, including the hardware reserved memory.

• Modified Memory. Part of the cached memory. This memory needs to be written to disk before becoming available.

• Standby Memory. Part of the cached memory. This memory contains cached data and code not actively being used.

• Total Memory. The total amount of physical memory installed on the system, not including hardware reserved memory.

Use this information to help you identify how processes are using memory and whether performance issues are related to memory. No additional details can be added regarding memory usage.

TROUBLESHOOTING: Resolve the memory performance issue

For troubleshooting performance issues related to memory, you might want to evaluate whether it makes sense to move applications and services from a highly utilized server to another, less-utilized server. You also might want to evaluate whether additional physical or virtual memory is needed to ensure adequate performance. Additional memory might resolve a performance issue related to high memory utilization.

Tracking per-process disk utilization

The Disk tab in Resource Monitor shows the number of kilobytes per second being read from or written to disk and the highest percentage usage. As shown in Figure 11-5, processes with disk activity are listed by name, process ID, number of bytes being read per second, number of bytes being written per second, and total read/write bytes per second.

Figure 11-5. The Disk tab in Resource Monitor provides detailed per-process information about CPU utilization.

Select one or more processes on the Processes With Disk Activity panel to get more detailed information about how those processes are using disk resources. As you select processes for tracking, keep in mind that your selections are global. The same selections will appear in the other tabs of Resource Monitor.

When you select one or more processes for tracking, you see additional details on the Disk Activity and Storage panels. To help you quickly identify disk-related performance issues, the Disk Activity panel identifies the files a particular process is reading or writing along with the bytes read per second, bytes written per second, and total read/write bytes per second for each file. Also shown are the I/O priority and the response time.

The Storage panel provides information about the underlying logical and physical disks. The Logical Disk column shows the drive letters of logical disks with I/O activity. The Physical Disk column identifies the specific physical disk where the logical disks were created. If there are performance issues with a server’s disks and files are being read from and written to multiple logical disks residing on the same physical disk (or relatively few physical disks as compared to the number of available physical disks), you might be able to improve performance by changing the storage configuration so that I/O activity is spread more evenly across the server’s physical disks. You also can try to balance the workload by moving applications and services from an over-utilized server to another, less-utilized server.

Tracking per-process network utilization

The Network tab in Resource Monitor shows the current network bandwidth utilization in kilobytes and the percentage of total bandwidth utilization. As shown in Figure 11-6, processes that are transferring or have transferred data on the network are listed by name, process ID, number of bytes being sent per second, number of bytes received per second, and total bytes sent or received per second.

Figure 11-6. The Network tab in Resource Monitor provides detailed per-process information about network utilization.

Select one or more processes on the Processes With Network Activity panel to get more detailed information about how those processes are using network resources. As you select processes for tracking, keep in mind that your selections are global. The same selections will appear on the other tabs of Resource Monitor.

When you select one or more processes for tracking, you see additional details on these panels:

• Network Activity. Identifies the name or IP address of the computer to which a process is connected, along with the average number of bytes sent per second in the past minute, the average number of bytes received per second in the past minute, and the total number of bytes transferred per second in the past minute.

• TCP Connections. Shows the TCP connections for processes with network activity according to the local addresses, local ports, remote addresses, and remote ports being used. Also shown are the percentage of packets lost during the connection and the roundtrip latency in milliseconds.

• Listening Ports. Shows the specific listening ports processes are using with network activity, along with the firewall status.

If there are performance issues with a server’s network connections, you might be able to improve performance by installing multiple network adapters in the server and teaming the network cards. You configure network interface card (NIC) teaming by using Server Manager, either through a local logon or using a remote desktop connection. Either way, after you are logged on to the server, you can configure NIC teaming by selecting Local Server in the left pane of Server Manager and then tapping or clicking the link provided for NIC teaming. Next, tap or click Tasks under Teams and then select New Team. Enter a name for the teamed network adapters, such as Team Set 1, select the member adapters, and then tap or click OK.

If you can’t add or team network adapters, you can try to reduce the server’s network activity by moving applications and services from an over-utilized server to another, less-utilized server.

You can use Performance Monitor and Reliability Monitor to track the overall reliability of a server. Performance Monitor graphically displays statistics for the set of performance parameters you selected for display. These performance parameters are referred to as counters. When you install additional roles, role services, and features on a system, Performance Monitor might be updated with a set of counters for tracking performance of the related components. You also can update counters when you install additional services and applications.

Performance Monitor, shown in Figure 11-7, creates a graph depicting the counters you’re tracking. The update interval for this graph is configurable but is set to one second by default. Tracking information is most valuable when you record performance information in a log file so that it can be played back. When you create alerts, you can notify yourself or others anytime specific performance criteria are met.

You can start Performance Monitor by selecting the related option on the Server Manager Tools menu. Alternatively, type Performance Monitor in the Everywhere Search box and press Enter.

Figure 11-7. Performance Monitor graphically depicts performance.

Reliability Monitor, shown in Figure 11-8, tracks changes to the server and compares them to changes in system stability. In this way, you can see a graphical representation of the relationship between changes in the system configuration and changes in system stability. By recording software installation, software removal, application failure, hardware failure, and Windows failure events, in addition to key events regarding the configuration of the server, you can see a timeline of changes in both the server and its reliability and then use this information to pinpoint changes that are causing problems with stability. For example, if you see a sudden drop in stability, you can tap or click a data point and then expand the related data set, such as Application Failure or Windows Failure, to find the specific event that caused the drop in stability.

Figure 11-8. Reliability Monitor graphically depicts overall reliability.

You can access Reliability Monitor from Action Center. On the desktop, tap or click the Action Center icon on the Task bar and then tap or click Open Action Center. In Action Center, expand the Maintenance panel and then tap or click View Reliability History. Alternatively, you can open Reliability Monitor by entering perfmon /rel at a command prompt or in the Everywhere Search box.

Although reliability monitoring is enabled by default for Windows clients, it might be disabled for Windows servers. When you open Reliability Monitor on a server where reliability monitoring is disabled, you see that no reliability updates or history details are available. To enable reliability tracking, you must allow the Microsoft Reliability Analysis task, RacTask, to process system reliability data.

RacTask is a scheduled task that runs in the background to collect reliability data. You can find RacTask in the Task Scheduler Library under Microsoft, Windows, RAC. On servers, this task is best used as part of troubleshooting. If RacTask is disabled, you can enable and configure the task by completing the following steps:

If you enable the task for troubleshooting, review and modify the default triggers as appropriate for your environment. By default, the task is triggered at startup, once a day at 5:00 P.M., and whenever event 1007 is written to the application log. Event 1007 tracks Customer Experience Improvement Program events, which Microsoft tracks to help improve the overall stability of Windows and Windows Server. Don’t enable RacTask without considering the possible performance impact.

When you are working with Performance Monitor, the main pane graphs any performance items you configured for monitoring, as shown in Figure 11-7. Each performance item you want to monitor is defined by the following three components:

In a standard installation of Windows Server 2012 R2, many performance objects are available for monitoring. As you add services, applications, and components, additional performance objects can become available. For example, when you install the Domain Name System (DNS), the DNS object becomes available for monitoring on that computer.

The most common performance objects you want to monitor are summarized in Table 11-1. Like all performance objects, each performance object listed here has a set of counters that can be tracked.

The most commonly tracked performance objects are Memory, PhysicalDisk, and Processor. When you first open Performance Monitor, it is configured to graph only the % Processor Time counter. Many other performance counters are available for tracking. To track additional counters, you use the Add Counters dialog box, as shown in Figure 11-9. With the Performance Monitor node selected in the Performance console or Computer Management, you open this dialog box by pressing Ctrl+I or selecting the Add Counters button on the toolbar.

Figure 11-9. Select the objects and the counters that you want to track.

After you open the Add Counters dialog box, you can select objects and counters to track by completing these steps:

As you’ve seen, it’s easy to add counters to track. What isn’t so easy is determining which counters you should track. While you are working with the Add Counters dialog box, you can get a detailed explanation of a counter by selecting a counter and then selecting the Show Description check box. If you add too many counters or track the wrong counters, don’t worry. In the Performance Monitor view, you can delete counters later by selecting their entries in the lower portion of the details pane and then tapping or clicking Delete on the toolbar or pressing the Delete key on your keyboard. You can also delete all counters being tracked and start over with a clean graph by selecting an entry in the lower portion of the details pane, pressing Ctrl+A, and then pressing the Delete key.

Performance Monitor displays each counter that you are tracking in a different color and line thickness. You can use the legend in the lower portion of the details pane to help you determine which counter is being graphed where. If you are unsure, tap or click a line in the graph to select the corresponding counter in the legend list. To highlight a specific counter so that it is easy to pick out in the graph, select the counter in the legend list and then press Ctrl+H.

Performance Monitor can present counter statistics in several ways. By default, it graphs the statistics. A graph is useful when you are tracking a limited number of counters because you can view historical data for each counter that you are working with. By default, Performance Monitor samples the counters once every second and updates the graph over a 100-second duration. This means that at any given time, up to 100 seconds’ worth of data can be on the graph. If you change the sample interval and duration, you can get more information into the chart. For example, if you set the sample interval to once every 10 seconds and the duration to 1000 seconds, you can get up to 1000 seconds’ (or about 17 minutes’) worth of data on the graph.

You can set the sample interval by using the General tab of the Performance Monitor Properties dialog box, as shown in Figure 11-10. To open this dialog box, press and hold or right-click the Performance Monitor node and select Properties. Set the sample interval and duration by using the Sample Every and Duration text boxes.

Figure 11-10. Configure the display properties.

The options on the Display Elements panel on the General tab of the Performance Monitor Properties dialog box control the availability of the Legend, Value Bar, and Toolbar. The Legend is displayed at the bottom of the details pane, and it shows the color and line style that are used for each counter. The Value Bar is displayed between the graph and the legend. It shows values related to the counter you selected in the graph or in the legend. The Toolbar is displayed above the graph and provides the basic toolbar functions for working with Performance Monitor. You might find that it is much easier to use the shortcut keys than to tap or click the Toolbar buttons. The Toolbar buttons and their shortcut keys are as follows:

The Histogram Bar and Report views deserve a bit of additional discussion. In the Histogram Bar view, Performance Monitor represents the performance information by using a bar graph with the last sampling value for each counter displayed on an individual bar within the graph. The sizes of the bars within the graph are adjusted automatically based on the number of performance counters being tracked and can be adjusted to accommodate hundreds of counters. That is, in fact, the biggest advantage of the histogram—it enables you to track a lot of counters more easily. In Figure 11-11, approximately 100 counters are being tracked, and it is easy to pick out which counter is which.

Figure 11-11. The histogram view enables you to track counters easily, using bar graphs.

In the Report view, shown in Figure 11-12, Performance Monitor represents the performance information by using a report list format. In this view, objects and their counters are listed in alphabetical order. Current values are displayed rather than being graphed. If you are trying to determine specific performance values for many counters, this is the best view to use because the actual values are always shown.

Figure 11-12. Report view gives users performance information as specific values rather than by using graphs or charts.

Monitoring performance on the computer for which you are trying to establish a baseline can skew the results. The reason for this is that Performance Monitor uses resources when it is running, particularly when you are graphing performance information, taking frequent samples, or tracking many performance counters. To remove the resource burden (or at least most of it), you should consider monitoring performance remotely. Here, you use one computer to monitor the performance of another computer. Although this does generate some extra network traffic, you get more accurate results for the monitored computer because you’re not using its resources for monitoring.

To begin remote monitoring, select the Performance Monitor node in the Performance Monitor console or in Computer Management. To start with a new counter set and clear out any existing counters, select a counter entry in the lower portion of the details pane, press Ctrl+A, and press the Delete key. Press Ctrl+I to open the Add Counters dialog box. In the Add Counters dialog box, type the UNC name or Internet Protocol (IP) address of the computer you want to monitor remotely in the Select Counters From Computer text box. A UNC computer name or IP address begins with two back slashes (\). So, for instance, you could type \CorpServer03 or \192.168.1.56.

After you type the UNC computer name or IP address, press Tab or tap or click the Performance Object list. When you do this, Performance Monitor attempts to connect to the remote computer and retrieve a list of available performance objects to monitor. You can then choose performance objects and counters to track just as you would for a local computer.

Windows applications use a lot of memory. If you install a server with the minimum amount of memory required, it won’t perform at its optimal level because a server’s memory requirements depend on many factors, including the services, components, and applications that are installed on it and the server’s configuration.

Computers use both physical and virtual memory. Physical memory is represented by the amount of random access memory (RAM) installed. Virtual memory is memory written to a paging file on disk. Reading from and writing to the paging file involve the disk subsystem, and it is much slower than accessing physical memory. Because of this, you don’t want a system to have to use the paging file too frequently.

Before you set out to monitor memory usage, you should check to ensure that the computer has the recommended amount of memory for the operating system and the applications it is running. After you’ve done this, you can determine how the system is using memory and check for problems. Look closely at the amount of memory available and the amount of virtual memory being used. If the server has very little available memory, you might need to add memory to the system. In general, you want the available memory to be no less than 5 percent of the total physical memory on the server. If the server is using a high ratio of virtual memory to total physical memory on the system, you might need to add physical memory as well.

Look at the way the system is using the paged pool and nonpaged pool memory. The paged pool is an area of system memory for objects that can be written to disk when they aren’t used. The nonpaged pool is an area of system memory for objects that can’t be written to disk. If the size of the paged pool is large relative to the total amount of physical memory on the system, you might need to add memory to the system. If the size of the nonpaged pool is large relative to the total amount of virtual memory allocated to the server, you might want to increase the virtual memory size.

Look at the way the system is using the paging file. A page fault occurs when a process requests a page in memory and the system can’t find it at the requested location. If the requested page is elsewhere in memory, the fault is called a soft page fault. If the requested page must be retrieved from the paging file on disk, the fault is called a hard page fault. Most processors can handle large numbers of soft faults. Hard faults, however, can cause significant delays. If there are a high number of hard page faults, you might need to increase the amount of memory or reduce the size of the system cache.

Counters you can use to check for memory bottlenecks include the following:

After you’ve eliminated memory as a potential bottleneck, you should examine the system’s processor usage to determine whether there are any potential bottlenecks. Processor bottlenecks can occur if a process’s threads need more processing time than is available. This, in turn, causes the processor queue to grow because threads have to wait to get processing time. As a result, the system response suffers, and the system appears sluggish or nonresponsive.

Excess interrupts are another common reason for processor bottlenecks. Each time drivers or disk subsystem components, such as hard disk drives or network components, generate an interrupt, the processor has to stop what it is doing to handle the request because requests from hardware take priority. However, poorly designed drivers and components can generate false interrupts, which tie up the processor for no reason. System boards or components that are failing can generate false interrupts as well.

If a system’s processors are the performance bottleneck, adding memory, drives, or network connections won’t overcome the problem. Instead, you might need to upgrade the processors to faster clock speeds or add processors to increase the server’s upper capacity. You could also move processor-intensive applications, such as Microsoft Exchange Server, to another server.

Counters you can use to check for processor bottlenecks include the following:

With the high-speed disks available today, a system’s hard disks are rarely the primary reason for a bottleneck. It is more likely that a system is having to do a lot of disk reads and writes because there isn’t enough physical memory available, and the system has to page to disk. Because reading from and writing to disk is much slower than reading and writing memory, excessive paging can degrade the server’s overall performance. To reduce the amount of disk activity, you want the system to manage memory as efficiently as possible and page to disk only when necessary.

That said, you can do several things with a system’s hard disks to improve performance. If the system has faster drives than the ones used for the paging file, you might consider moving the paging file to those disks. If the system has one or more drives that are doing most of the work and other drives that are mostly idle, you might be able to improve performance by balancing the load across the drives more efficiently.

To help you gauge disk I/O activity better, use the following counters:

The network that connects your computers is critically important. Its responsiveness, or lack thereof, weighs heavily on the way users perceive the responsiveness of their computers and any computers to which they connect. It doesn’t matter how fast their computers are or how fast your servers are. If there’s a big delay (and big network delays are measured in tens of milliseconds) between when a request is made and the time it’s received, users might think systems are slow or nonresponsive.

Unfortunately, in most cases, the delay (latency) users experience is beyond your control. It’s a function of the type of connection the user has and the route the request takes to your server. The total capacity of your server to handle requests and the amount of bandwidth available to your servers are factors you can control, however. Network capacity is a function of the network cards and interfaces configured on the servers. Network bandwidth availability is a function of your organization’s network infrastructure and how much traffic is on it when a request is made.

Because modern servers often ship with multiple network cards, be sure to check all enabled network adapters. If a server has multiple adapters, you might want to enable and configure NIC teaming to ensure that the available bandwidth is used optimally. When NIC teaming is being used, you also want to ensure that the configuration is optimized for the way the server is currently being used. In Server Manager, you can configure NIC teaming as a Local Server option, which means you must log on locally to the server you want to configure or access the server through a Remote Desktop Connection.

When hosting virtual machines (VMs) on a hypervisor, such as Hyper-V, NIC teaming is not required. A common hypervisor configuration has trunked network connections that carry multiple virtual LANs (VLANs), or logical networks. Using NIC teaming on a VM running Windows Server 2012 that has a physical uplink through a hypervisor trunked network connection does not provide any load balancing or redundancy capabilities. Physical trunked network connections to a hypervisor are often teamed and connected to a redundant pair of physical switches, providing load balancing and redundancy to all VMs hosted on the hypervisor.

Counters you can use to check network activity and look for bottlenecks include the following:

You might be able to improve network performance by installing multiple network adapters and teaming the network cards. You configure NIC teaming by using Server Manager, selecting Local Server in the left pane, and then tapping or clicking the link provided for NIC teaming. You can then create and configure NIC teams.

In Performance Monitor, you can view the currently configured data collector sets by expanding the Data Collector Sets node and then expanding the User Defined and System nodes. When you select a data collector set in the left pane, you see a list of the related data collectors in the main pane listed by name and type.

Data collector set types include the following:

Windows Server 2012 R2 uses event traces to track a wide variety of performance statistics. You can view running event traces by selecting Event Trace Sessions. You can then stop a data collector running a trace by pressing and holding or right-clicking it and selecting Stop.

Some event traces are configured to start automatically with the operating system. These event traces are called startup event traces. You can view the enabled or disabled status of event traces configured to run automatically when you start the computer by selecting Startup Event Trace Sessions. You can start a trace by pressing and holding or right-clicking a startup data collector and selecting Start As Event Trace Session. You can delete a startup data collector by pressing and holding or right-clicking it and then selecting Delete.

You can save a data collector as a template that can be used as the basis of other data collectors by pressing and holding or right-clicking the data collector and selecting Save Template. In the Save As dialog box, select a directory, type a name for the template, and then tap or click Save. The data collector template is saved as an XML file that can be copied to other systems.

You can delete a user-defined data collector by pressing and holding or right-clicking it and then selecting Delete. If a data collector is running, you need to stop collecting data first and then delete the collector. Deleting a collector deletes the related reports as well.

When you’re troubleshooting problems, you’ll often want to log performance data over an extended period of time and then review the data to analyze the results. For each data collector that has been or is currently active, you’ll find related data collector reports. As with data collector sets themselves, data collector reports are usually organized into two general categories: user-defined and system-defined.

To view data collector reports in Performance Monitor, expand the Reports node and then expand the individual report node for the data collector you want to analyze. Under the data collector’s report node, you find individual reports for each logging session, as shown in Figure 11-19. A logging session begins when logging starts and ends when logging is stopped.

Figure 11-19. Access a report to view the collected data.

The most recent log is the one with the highest log number. To view a log and analyze its related data graphically, double-tap or double-click it. Keep in mind that if a data collector is actively logging, you won’t be able to view the most recent log. You can stop collecting data by pressing and holding or right-clicking a data collector set and selecting Stop. Collected data is shown by default in a graph view from the start of data collection to the end of data collection. Only counters that you selected for logging will be available. If a report doesn’t have a counter that you want to work with, you need to modify the data collector properties, restart the logging process, and then check the logs again.

You can modify the report details by using the following techniques:

You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:

Windows Server 2012 R2 includes a command-line utility called Typeperf for writing performance data to the command line. You can use it to monitor the performance of both local and remote computers. The available parameters for Typeperf are summarized in Table 11-2.

It looks complicated, I know, but Typeperf is fairly easy to use after you get started. In fact, all you really need to provide to get basic monitoring information is the path to the performance counter you want to track. The performance counter path has the following syntax:

\ComputerNameObjectNameObjectCounter

Here, the path starts with the UNC computer name or IP address of the local or remote computer you are working with and includes the object name and the object counter to use. If you want to track SystemProcessor Queue Length on CORPSVR02, you type

typeperf "\corpsvr02SystemProcessor Queue Length"

You can also easily track all counters for an object by using an asterisk (*) as the counter name, such as in the following:

typeperf "\corpsvr02Memory*"

Here, you track all counters for the Memory object.

A slight problem is introduced for objects that have multiple instances. For these objects, such as the Processor object, you must specify the object instance you want to work with. The syntax for this is as follows:

\ComputerNameObjectName(ObjectInstance)ObjectCounter

Here, you follow the object name with the object instance in parentheses. To work with all instances of an object that has multiple instances, you use _Total as the instance name. To work with a specific instance of an object, use its instance identifier. For example, if you want to examine the Processor\%Processor Time counter, you must use either the following to work with all processor instances:

typeperf "\corpsvr02Processor(_Total)\%Processor Time"

or the code shown next to work with a specific processor instance:

typeperf "\corpsvr02Processor(0)\%Processor Time"

In this case, that is the first processor on the system.

By default, Typeperf writes its output to the command line in a comma-delimited list. You can redirect the output to a file by using the –o parameter and set the output format by using the –f parameter. The output format indicators are CSV for a comma-delimited text file, TSV for a tab-delimited text file, BIN for a binary file, and SQL for a SQL binary file. Consider the following example:

typeperf "\corpsvr02Memory*" -o perf.bin -f bin

Here, you track all counters for the Memory object and write the output to a binary file called Perf.bin in the current directory.

If you need help determining the available counters, type typeperf –q followed by the object name for which you want to view counters, such as in the following:

typeperf -q Memory

If an object has multiple instances, you can list the installed counters with instances by using the –qx parameter, such as in the following:

typeperf -qx PhysicalDisk

You can use this counter information as input to Typeperf as well. Add the –o parameter and write the output to a text file, such as in the following:

typeperf -qx PhysicalDisk -o perf.txt

Then, edit the text file so that only the counters you want to track are included. You can then use the file to determine which performance counters are tracked by specifying the –cf parameter followed by the file path to this counter file. Consider the following example:

typeperf -cf perf.txt -o c:perflogsperf.bin -f bin

Here, Typeperf reads the list of counters to track from Perf.txt and then writes the performance data in binary format to a file in the C:PerfLogs directory.

The one problem with Typeperf is that it will sample data once every second until you tell it to stop by pressing Ctrl+C. This is fine when you are working at the command line and monitoring the output. It doesn’t work so well, however, if you have other things to do—and most administrators do. To control the sampling interval and set how long to sample, you can use the –si and –sc parameters, respectively. For example, if you want Typeperf to sample every 60 seconds and stop logging after 120 samples, you could type this:

typeperf -cf perf.txt -o C:perflogsperf.bin -f bin -si 60 -sc 120

get-counter "\corpsvr35Memory*"

get-counter "\corpsvr35Processor(_Total)\%Processor Time"

get-counter "\corpsvr35Processor(0)\%Processor Time"

get-counter -listset Memory

You can examine trace log data by using the Tracerpt command-line utility. Tracerpt processes trace logs, and you can use it to generate trace analysis reports and dump files for the events generated. Commonly used parameters for Tracerpt are summarized in Table 11-3.

The most basic way to use Tracerpt is to specify the name of the trace log to use. By default, 1trace logs are written to C:PerfLogs. So, if a log in this directory was named SysP_000002.etl, you could analyze it by typing the following:

tracerpt C:PerflogsSysP_000002.etl

Here, four files are created in the current directory. The parsed output is written to Dumpfile.xml, a summary report is written to Summary.txt, a detailed report is written to Workload.xml, and an event schema report file is written to schema.man.

You could also specify the exact files to use for output as shown in the following example:

tracerpt C:Perflogs SysP_000002.etl -o c:sysp.csv
 -summary c:sysp-summary.txt -report sysp-report-.txt