Tuning performance, memory usage, and data throughput
Tracking a system’s general health
Tracking events and troubleshooting by using Event Viewer
Performance monitoring and tuning is the process of tracking system performance to establish baselines and identify and resolve problems. When you install a server, you should create a performance baseline to see how the server is performing given its current resources and typical usage. If a server isn’t performing as expected, is unresponsive, or is generating errors, you want to investigate. Many tools are designed to help you monitor server performance and troubleshoot performance issues. This chapter discusses the key tools for fine-tuning the system configuration, tracking system health, and troubleshooting the event logs. In the next chapter, you learn more about comprehensive monitoring techniques you can use for establishing performance baselines and pinpointing performance bottlenecks.
Out of the box, Microsoft Windows Server 2012 R2 is optimized for general network environments. The operating system might not, however, be optimized for the way a particular system is being used in your organization. You can often improve Windows operating system and application performance considerably simply by fine-tuning the way a system uses resources.
You don’t want the Windows operating system to tie up too much processing power displaying visual effects when administrators or other users are logged on to a server. So, if you’re wondering why all the fancy visuals are turned off in the standard configuration of Windows Server 2012 R2, this is why—the processing power is better used supporting the server’s roles and applications than displaying fancy visuals to users who log on.
In most cases, you want to keep the visual effects to the bare minimum, which is what the default configuration after installation does. This ensures that users who log on either locally or remotely won’t severely affect the performance of the system just by logging on and displaying menus and dialog boxes. You can check or change the visual effects options by using the Performance Options dialog box. In Control Panel, tap or click System And Security, System, and then Advanced System Settings. On the Advanced tab in the System Properties dialog box, tap or click the Settings button in the Performance panel to display the Visual Effects tab in the Performance Options dialog box, as shown in Figure 10-1.
The way the Windows operating system performs for applications and installed services is determined by the processor-scheduling configuration. Processor-scheduling options control how much of processor resources are allocated to applications running on a server, which in turn determines the responsiveness of applications. You can optimize processor scheduling for the following application types:
Programs. When processor scheduling is optimized for programs, the active (foreground) application running on the system gets the best response time and the greatest share of available resources. Generally, you want to use this option only on development servers or when you are using Windows Server 2012 R2 as your desktop operating system.
Background services. When processor scheduling is optimized for background services, all applications receive equal amounts of processor resources, and the active application doesn’t get the best response time. Generally, you want to use this option for production servers.
You can check or change processor-scheduling configuration by using the Advanced tab of the Performance Options dialog box. In Control Panel, tap or click System And Security, System, and then Advanced System Settings. On the Advanced tab in the System Properties dialog box, tap or click the Settings button in the Performance panel to open the Performance Options dialog box. Finally, select the Advanced tab, as shown in Figure 10-2, in the Performance Options dialog box.
Windows Server 2012 R2 uses virtual memory to allow a system to page parts of memory to disk. This makes it possible for a system to create a paging file on disk and use more memory space than is physically available. All servers have an initial paging file. It is created automatically on the drive containing the operating system during installation and setup, and it is written as a file named Pagefile.sys.
In some cases, you can improve a server’s performance by optimizing the way the paging file is used. You do this by configuring the size of the paging file so that it is optimal given the server’s RAM and usage. Although Windows Server 2012 R2 can expand paging files incrementally as needed, you want to size the paging file so that it is as large as it needs to be for typical usage conditions. This helps reduce fragmentation of data within the paging file and keeps the server from having to expand the paging file continually.
You can also fix the paging file size so that the server needn’t spend any resources expanding the paging file. This helps ensure that paging files don’t become fragmented, which can result in poor system performance. If you want to manage virtual memory manually, you use a fixed virtual memory size in most cases. To do this, set the initial size and the maximum size to the same value. This ensures that the paging file is consistent and can be written to a single contiguous file (if possible, given the amount of space on the volume).
If a server has multiple hard-disk drives and a very large memory configuration, you might consider creating a paging file for multiple physical hard-disk drives on the system. Multiple paging files can improve the performance of virtual memory on symmetric multiprocessing (SMP) machines with eight or more processors and a large amount of RAM. When you use multiple paging files, you create several smaller paging files rather than one big one. For example, if the paging file should be set to 8,192 megabytes (MBs) and the system has two disk drives, you could configure both drives to use a paging file 4,096 MBs in size.
Important
If you’re trying to decide whether to use a solid-state drive (SSD) rather than a physical hard disk for a paging file, I recommend reading the Inside Out sidebar, “Understanding solid-state drives,” in Chapter 7. A solid-state drive isn’t necessarily a better (or worse) choice than a physical hard disk for hosting a paging file. Base your choice on the server workload and the solid-state drive’s capabilities (specifically, the stated duty cycle and lifespan limitations).
If you decide to use a solid-state drive, choose one designed for enterprise workloads. Enterprise solid-state drives have wear-leveling features, which extend their lifetime and improve overall performance. Whether you choose a solid-state drive with multilevel cells (MLCs) storing two bits per cell or single-level cells (SLCs) storing one bit per cell will be based on your budget and performance targets. Typically, MLC SSDs are cheaper than SLC SSDs but don’t last as long.
In most cases for computers with 8 gigabytes (GBs) or less of RAM, I recommend setting the total paging file size so that it’s twice the physical RAM size on the system. For instance, on a computer with 2,048 MBs of RAM, you would ensure that the Total Paging File Size For All Drives setting is at least 4,096 MBs. On systems with more than 8 GBs of RAM, you should follow the hardware manufacturer’s guidelines for configuring the paging file. Typically, this means setting the paging file to be the same size as physical memory.
When you’re trying to fine-tune the paging file size, look closely at the actual workload of the server in typical and peak conditions. Applications and their processes can reserve large blocks of virtual memory and then commit it as needed. Applications do this to try to ensure that the operating system allocates committed memory contiguously. This reserved virtual memory doesn’t count toward the total, combined amount of physical and virtual memory that can be committed at any one time, also referred to as the commit limit.
If you want to try to optimize the paging file size, focus on the actual amount of committed physical and virtual memory for all active processes, the current commit charge, and compare this to the commit limit. The current commit charge cannot exceed the commit limit. Ideally, you want to size the paging file to accommodate the maximum total commit charge for the applications, services, and processes you want to run simultaneously while still allowing some overhead for unexpected usage peaks beyond this and testing the usage under typical-load and peak-load conditions.
Keep in mind, the commit limit will increase as the commit charge approaches it when a server has a system-managed paging file (until either exhausting its address space or reaching the 64-bit application-accessible address space limit). As the operating system approaches the maximum commit limit that is possible or explicitly configured, performance will degrade. You might see application failures or even a system failure.
Following this, you want to set the minimum size of the paging file to the greater of (1) the maximum total commit charge you determined minus the amount of physical RAM on the server or (2) the size needed to accommodate the type of crash dump the server is configured for. Then, set the maximum size of the paging file to accommodate unexpected usage peaks beyond this. Here are some examples:
If you determine the maximum total commit charge for the expected typical workload to be 5,796 MBs, you could set this as the minimum paging file size and then set the maximum to 8,694 MBs, which is 1.5 times the minimum, or you could just set a fixed paging file size of 8,694 MBs by using this value for the minimum and maximum sizes.
If you determine the maximum total commit charge for the peak observed workload to be 9,184 MBs, you could set this as the minimum paging file size and then set the maximum to 11,480 MBs, which is 1.25 times the minimum, or you could just set a fixed paging file size of 11,480 MBs by using this value for the minimum and maximum sizes. You also might want to look at creating multiple paging files. If so, you might want to evaluate the performance of a single paging file compared to multiple, smaller paging files in a test environment before using this approach on production servers.
You can track the total commit charge and commit limit in Task Manager. Open Task Manager by pressing and holding or right-clicking the taskbar and then tapping or clicking Task Manager on the shortcut menu. Alternatively, press Ctrl+Shift+Esc.
When you are working with the expanded view in Task Manager, you’ll find details about system resources on the Performance tab. Tap or click Memory in the left pane to see detailed information about memory usage in the main pane, as shown in Figure 10-3. The first value listed under the Committed heading is the current commit charge. The second value is the current commit limit. The total physical memory (RAM) on the server is shown in the upper-right corner of the main pane.
You can manage the paging file configuration by using the Virtual Memory dialog box, shown in Figure 10-4. To open this dialog box, tap or click the Advanced tab in the System Properties dialog box and then tap or click the Settings button in the Performance panel to display the Performance Options dialog box. Finally, select the Advanced tab in the Performance Options dialog box and then tap or click Change in the Virtual Memory panel. Alternatively, type SystemPropertiesPerformance in the Everywhere Search box and then press Enter.
Windows Server 2012 R2 automatically manages virtual memory much better than its predecessors do. Typically, Windows Server 2012 R2 allocates virtual memory at least as large as the total physical memory installed on the computer. You control whether Windows automatically manages virtual memory by using the Automatically Manage Paging File Size For All Drives check box. When this check box is selected, Windows automatically manages virtual memory. When this check box is cleared, you can manually manage memory.
The upper section of the Virtual Memory dialog box shows the current paging file location and size. Each volume is listed with information about its associated paging file (if any). When the operating system manages a volume’s paging file, the paging file is listed as System Managed. When a volume has a paging file, the initial and maximum size values set for it are shown. If the paging file has a size that can be incremented, the initial and maximum sizes will be different, such as 768–9,216 MB. If the paging file has a fixed size (recommended), the initial and maximum sizes will be the same, such as 8,704–8,704 MB.
By selecting a disk drive in the top portion of the Virtual Memory dialog box, you can configure whether and how the paging file is used. Usually, you want to select Custom Size and then set the Initial Size and Maximum Size options. Tap or click Set to apply the changes before you configure another disk drive. When you are finished configuring paging file usage, tap or click OK. You are then prompted to restart the server for the changes to take effect. Tap or click OK. When you close the System utility, you are prompted to restart the system for the changes to take effect. Tap or click Yes to restart the computer now or tap or click No if you plan to restart the server later.
Caution
As you set the paging file for individual drives, pay particular attention to the Total Paging File Size For All Drives information. Generally, you don’t want to configure a server so that the Currently Allocated value is 0 MB. This means no paging file is configured, which will make it harder for you to troubleshoot STOP messages because no dump file will be generated. Keep in mind that lack of a paging file won’t necessarily affect performance. Enterprise server hardware tends to have a lot of RAM. If the server was sized correctly for its workload and has a lot of RAM, it might rarely page to disk.
The fastest, easiest way to track a system’s general health is to use Task Manager or Resource Monitor. Unlike some of the other performance tools that require some preparation before you can use them, you can start and use these tools without any preparation. This makes them very useful when you want to see what’s going on with a system right away.
By using Task Manager, you can track running applications and processes and determine resource usage. This can help you understand how a server is performing and whether there are any problems, such as applications that aren’t running or processes that are hogging system resources. You can open Task Manager by pressing Ctrl+Shift+Esc or by typing taskmgr in the Everywhere Search box and then pressing Enter.
The first time you open Task Manager, you see the summary view, which shows a quick summary of applications running in the foreground. To get more information about running tasks, tap or click More Details. You then see the expanded view, which has multiple tabs that you can use to get information about all running processes, system performance, connected users, and configured services. When you next open Task Manager, you see the view you used last because the last-used view is displayed initially.
To work with the expanded view in Task Manager, the key issue you must understand is the distinction between an application and a process. Basically, the executable name of an application, such as Taskmgr.exe, is known to the operating system as its image name, and whenever you start an application, the operating system starts one or more processes to support it. As Figure 10-5 shows, Task Manager has five tabs:
Processes. Shows apps, background processes, and Windows processes that were run on the system and displays whether they’re running, suspended, or not responding. It also enables you to interact with applications and halt their execution.
Performance. Displays current processor, memory, and network usage. It includes graphs and detailed statistics. Enabled network connections are listed by their display name.
Users. Details the users currently logged on to the system. It includes local users and users connected through Remote Desktop sessions. You can use this tab to disconnect, log off, and send console messages to these users. You also can use it to see the processes users are running.
Details. Lists the image name of the processes running on the system, including those run by the operating system and users. It includes usage statistics for system resources allocated to each process, and you can use it to interact with and stop processes.
Services. Shows the system services configured on the server. It includes their status, such as running or stopped.
Caution
Task Manager uses system resources while it’s running. Because of this, you should run it only while you are tracking performance.
No single command-line tool performs all the same functions as Task Manager. The closest tools in functionality are the Windows PowerShell cmdlets, get-process and get-service. You obtain detailed information about running processes by using get-process and detailed information about configured services by using get-service.
As Figure 10-6 shows, the standard output of get-process is much more detailed than the default Task Manager view, especially when it comes to current per-process resource usage and activity. To run get-process, access a Windows PowerShell prompt and then type get-process.
Figure 10-6. Use get-process to track running applications and processes and determine resource usage.
As Figure 10-7 shows, the standard output for get-service shows the status of each configured service along with its internal name and display name. To run get-service, access a Windows PowerShell prompt and then type get-service.
The sections that follow discuss how to use these tools to gather information about systems and resolve problems. The focus of the discussion is on Task Manager, get-process, and get-service, which should be your primary tools for tracking a system’s general health.
The Performance tab in Task Manager, shown in Figure 10-8, should be the first tab you check if you suspect there is a performance issue with a system. It enables you to determine current processor, memory, and network usage quickly, and it graphs some historical usage statistics based on data collected since you started Task Manager.
Figure 10-8. The Performance tab provides a summary of current processor, memory, and network usage and some historical usage statistics based on data collected since you started Task Manager.
Note
Another handy view is the graph summary view, which shows only the currently selected graph. When you are working with the expanded view of the Performance tab, you can switch to the graph summary view just by double-tapping or double-clicking the graph in the main pane. While you are working with the graph summary view, you also can switch between graph categories. For example, if you are viewing the CPU graph, you can switch to the memory graph. To do this, press and hold or right-click in the graph summary view, select View, and then choose the type of graph. Switch back to the expanded view at any time by pressing and holding or right-clicking the summary view and then selecting Graph Summary View. This clears the Graph Summary View selection.
Some of the performance data is self-explanatory. When you select CPU in the left pane, the main window shows the CPU usage. The Overall Utilization graph shows the overall percentage of processor resources being used and is the default graph. If a system has multiple discrete sockets containing CPUs, you also see a history graph for each CPU by default. If a system has multiple logical processors, you also can view the workload on each logical processor in separate graphs. To change the graph view, press and hold or right-click in the main pane, select Change Graph To, and then choose a viewing style.
In Figure 10-8, note the additional information about CPU usage. This information, which is shown below the graph, includes the following:
Utilization. Shows the percentage of CPU utilization.
Speed. Shows the (average) current speed of processor.
Maximum Speed. Shows the maximum speed the process is capable of.
Sockets. Shows the number of discrete sockets containing processors.
Cores. Shows the total number of processor cores.
Logical Processors. Shows the total number of active logical processors. If this value is less than the total number of processor cores, some portion of functionality has been disabled.
Virtualization. Shows whether virtualization is enabled or disabled.
L1 Cache. Shows the size of the L1 cache if the computer’s processor or processors have L1 cache.
L2 Cache. Shows the size of the L2 cache if the computer’s processor or processors have L2 cache.
Also shown are summary statistics for handles, threads, processes, and uptime. The Processes area shows the number of processes in use. Threads shows the number of threads in use. Threads allow concurrent execution of process requests. Handles shows the number of input/output (I/O) file handles in use. Because each handle requires system memory to maintain, this is important to note. Up Time shows the total amount of time the system has been up since it was last started.
In Figure 10-8, you see an example of a system with moderate CPU usage but with very little ongoing paging file or networking activity. A system with CPU usage consistently at these levels might warrant some additional monitoring to determine whether you should add resources to the system. You want to determine whether these are typical usage conditions and whether actual peak usage was significantly higher.
If these are average usage conditions and peak usage was significantly higher, increasing the processor speed or adding processors could improve performance and allow for better handling of peak usage situations. If these statistics represent peak usage conditions and typical usage conditions were much less, the system probably wouldn’t need additional resources. In addition, sometimes the CPU usage can be high if the system has too little memory. A quick check of the memory usage of the server (including its current and peak usage) shows, however, that this isn’t the case for this particular system.
Important
When CPU throttling is being used, don’t just look at the percentage of utilization—also look at the current CPU speed. In Figure 10-8, not only is the server only running at 58 percent CPU utilization, the average current CPU speed is 1.56 gigahertz (GHz), which is 36 percent below the server’s maximum speed of 2.00 GHz.
Figure 10-9 shows performance data for the same system. In this example, the system has high CPU usage. In many cases, CPU usage is at 99 percent, and the CPU speed is nearly at its maximum. If CPU usage was consistent at this level, I might suspect a runaway process and look for a process that is causing the problem. Here, however, there are times when CPU usage isn’t maxed out, and you’d definitely want to take a closer look at what’s going on, starting with memory usage.
Figure 10-9. Heavy activity on the system is causing CPU usage to soar and, in many cases, to max out.
Figure 10-10 shows the server’s memory usage, which is displayed by selecting Memory in the left pane. Note that the total physical memory (RAM) on the server is shown in the upper-right corner of the main pane. Note also the following:
Cached. Shows the physical memory used for system caching. This value represents the total amount of modified memory (needing to be written to disk before being available) and standby memory (containing cached data and code not actively being used).
In Use. Shows the currently allocated physical memory. Use this value to help you determine the current paging file size. The size of the paging file is the difference between the current commit charge and the in-use memory.
Available. Shows the unallocated (available) physical memory. Use this value to help you determine whether the server is running out of available physical memory.
Committed. Shows the current commit charge as the first value and the commit limit as the second value.
Memory Composition. Depicts in-use and available memory graphically, according to its status as in use (allocated), modified (needing to be written to disk before being available), standby (containing cached data and code not actively being used), and free (unallocated).
Paged Pool. Shows noncritical kernel memory used by the operating system kernel. Noncritical portions of kernel memory can be paged to disk and don’t have to reside in physical memory (RAM).
Non-paged Pool. Shows critical kernel memory used by the operating system kernel. Critical portions of kernel memory must operate in physical memory (RAM) and cannot be paged to disk.
When you are reviewing Figure 10-10, one thing to note right away is that the system has quite a bit of available RAM—around 4.4 GBs. In checking the paging, you can see the current commit charge isn’t very large either. It is only 2.1 GBs, and the difference between the commit charge and in-use RAM is only 0.6 GBs, meaning only 0.6 GBs is being paged to disk.
Such a large amount of available RAM and such little use of the paging file tells me that processes, disk I/O, or both activities are using up CPU resources. If this level of usage is consistent, you have a problem that needs investigating. Here, increasing the server’s RAM or virtual memory will not solve the problem. Instead, you need to start by checking for system processes that have high CPU usage time, which tells you what activities are causing the strain on the server’s processors. If the high CPU usage activities are related to installed applications, roles, or role services, you might want to consider adding CPUs to the server. Generally, you add CPUs to a server in matched pairs. In this example, the server has two CPUs, so you want to consider upgrading to four CPUs. You might also consider offloading some of the system’s load. For example, you could move one of its roles or applications to a different server.
Another scenario you might encounter is when the server has little available RAM and a large paging file. A small amount of available RAM is a concern, and if this level of usage is consistent, you might consider changing the way applications use RAM, adding RAM, or both. A large amount of virtual memory being used (relative to available physical RAM) is also an area of possible concern that might make you consider adding physical RAM. Although increasing the amount of RAM could offer some relief to the CPU, it might not be enough, so you could consider increasing the processor speed or adding processors. You might also consider offloading some of the system’s load. For example, you could move one of its roles or applications to a different server.
The Processes tab in Task Manager, shown in Figure 10-11, lists applications being run by users and the operating system along with status details that show whether the applications are running, suspended, or not responding. If an application has an open file, such as a Microsoft Word document, the name of the file is also shown. By default, applications are grouped into three general categories:
Apps. Programs running in the foreground
Background processes. Programs running in the background
Windows processes. Processes run by the operating system
Important
Generally, foreground processes are processes being run by a user logged on to a computer’s local console. In contrast, background processes include any processes run by the operating system, local services, network services, and remote users. Thus, if you are trying to track processes for remote users on the Processes tab, you look under the Background Processes group rather than the Apps group. However, the Users tab provides a better approach for identifying the specific processes local and remote users are running. On this tab, each process a particular user is running is listed under the user’s logon name.
You can use Group By Type on the View menu to control whether grouping is used. If you clear this option, processes are listed alphabetically without grouping by type. If a process has related subprocesses, you can tap or click a process to view the subprocesses.
To work with an application, select it by tapping or clicking it in the task list. You can then press and hold or right-click the application name to select End Task, Create Dump File, Go To Details, Open File Location, Search Online, and Properties. Don’t overlook the usefulness of Go To Details when you press and hold or right-click. Use this when you’re trying to find the primary process for a particular application because selecting this option highlights the related process on the Details tab. Select Create Dump File to create a dump file for debugging an application. Select Search Online to start a search with your default search provider in your default browser. The search keywords are the image name and descriptive name of the process.
The Status column shows abnormal process statuses, if any. If you see an application with a status of Not Responding, the application might be frozen, and you might want to select it and then tap or click End Task. Keep in mind that the Not Responding message can also be an indicator that an application is busy and should be left alone until it finishes. Generally, when an application is running without errors and might have unsaved data, don’t use End Task to stop the application. Instead, try to exit the program gracefully. You can do this by expanding the related entry for the application, pressing and holding or right-clicking the related subprocess, selecting Switch To to switch to the application, and then exiting the application as you normally would.
Other columns on the Processes tab provide additional information about running processes. Use the values shown in the CPU and Memory columns to determine which processes are overconsuming these system resources. You can add other columns by pressing and holding or right-clicking any column header and then selecting options for the additional columns to display. In addition to Name and Status, the available columns are as follows:
CPU. Lists the percentage of CPU utilization for the process (across all physical and logical processors). The bold value in the column header represents the total CPU utilization for the server (across all physical and logical processors).
Memory. Lists the total physical memory reserved for the process. The bold value in the column header represents the total physical memory utilization for the server.
Command Line. Provides the full file path to the executable running the process and any command-line arguments passed in when the process was started.
PID. Provides the numeric identifier for the process.
Process Name. Provides the name of the process or executable running the process.
Publisher. Shows the publisher of the process, such as Microsoft Corporation.
Type. Provides the general process type as app, background process, or Windows process, which is useful if you clear Group By Type on the View menu.
You can view information about processes running on a system by using the Details tab of Task Manager or by running get-process. The Task Manager display differs greatly from the output provided by get-process. The Details tab shows all processes that are running, including those run by the operating system, local services, network services, a user account logged on to the local console, and remote users.
The default view of the Details tab shows each running process by image name and user name. Here, the image name is the name of the executable for the process, and the user name is the name of the user or service running the process.
The CPU column shows the percentage of processor utilization for each process. The Memory column shows the amount of memory the process is currently using. By default, processes are sorted by image name, but you can change this by tapping or clicking any of the available column headers to sort the information based on that column. Tapping or clicking again on the same column reverses the sort order. For example, tap or click User Name to sort the user names alphabetically. Tap or click User Name again to reverse sort the user names.
As you might recall from Figure 10-6, get-process shows much more detailed information for each process. This information is useful for troubleshooting. If you press and hold or right-click any column header and then choose Select Columns, you’ll see a dialog box that enables you to add columns to the Details tab. To get the additional information get-process shows, the following columns should be selected:
PID
CPU
CPU Time
Working Set (Memory)
Memory (Private Working Set)
Memory (Shared Working Set)
Commit Size
Handles
You will then have a process display like the one shown in Figure 10-12.
Figure 10-12. The Details tab provides detailed information on running processes according to image name and user name.
For deeper troubleshooting, I recommend adding a few more columns, such as the following:
Base Priority
Image Path Name
Page Faults
PF Delta
Threads
Working Set Delta (Memory)
Okay, so now that you’ve added all these extra columns of information, you are probably wondering what it all means and why you want to track it. As stated previously, you primarily use this information for troubleshooting. It helps you pinpoint which processes are hogging system resources and the type of resources the resource hogs are using. When you know what’s going on with processes, you can modify the system or its applications accordingly to resolve a performance problem.
Table 10-1 summarizes the information provided by these and other process-related statistics. The value in parentheses following the Task Manager column name is the name of the corresponding get-process property (if available). If by monitoring processes you notice what looks like a problem, you probably want to start more detailed monitoring of the system. One tool to consider is System Monitor, which is discussed in Chapter 11.
Note
For formatting purposes, the get-process property names are shown with brackets where necessary. The actual property names do not contain hyphens.
Table 10-1. Process statistics and how they can be used
Column Name | Description |
|---|---|
Base Priority [BasePriority] | Shows the priority of the process. Priority determines how much of the system resources are allocated to a process. The standard priorities are Low (4), Below Normal (6), Normal (8), Above Normal (10), High (13), and Real-Time (24). Most processes have a Normal priority by default, and the highest priority is given to real-time processes. |
Commit Size [VirtualMemorySize] | Shows the amount of virtual memory allocated to and reserved for a process. Virtual memory is memory on disk and is slower to access than pooled memory. By configuring an application to use more physical RAM, you might be able to increase performance. To do this, however, the system must have available RAM. If it doesn’t, other processes running on the system might slow down. |
CPU [CPU] | Shows the percentage of CPU utilization for the process. The System Idle Process shows what percentage of CPU power is idle. A 99 in the CPU column for the System Idle Process means 99 percent of the system resources currently aren’t being used. If the system has low idle time (meaning high CPU usage) during peak or average usage, you might consider upgrading to faster processors or adding processors. |
CPU Time [TotalProcessorTime] | Shows the total amount of CPU time used by the process since it was started. Tap or click the column header to see quickly the processes that are using the most CPU time. If a process is using a lot of CPU time, the related application might have a configuration problem. This could also indicate a runaway or nonresponsive process that is unnecessarily tying up the CPU. |
Shows the number of file handles maintained by the process. The number of handles used is an indicator of how dependent the process is on the file system. Some processes have thousands of open file handles. Each file handle requires system memory to maintain. | |
Image Path Name [Path] | Shows the full path to the executable for the process. |
Name [ProcessName] | Shows the name of the process. |
NP Pool [NonpagedSystemMemorySize] | Shows the amount of virtual memory for a process that cannot be written to disk. The nonpaged pool is an area of RAM for objects that can’t be written to disk. You should note processes that require a high amount of nonpaged pool memory. If there isn’t enough free memory on the server, these processes might be the reason for a high level of page faults. |
Page Faults | Shows page faults caused by the process. Page faults occur when a process requests a page in memory and the system can’t find it at the requested location. If the requested page is elsewhere in memory, the fault is called a soft page fault. If the requested page must be retrieved from disk, the fault is called a hard page fault. Most processors can handle large numbers of soft faults. Hard faults, however, can cause significant delays. If there are a lot of hard faults, you might need to increase the amount of memory or reduce the system cache size. |
Paged Pool [PagedSystemMemorySize] | Shows the amount of committed virtual memory for a process that can be written to disk. The paged pool is an area of RAM for objects that can be written to disk when they aren’t used. As process activity increases, so does the amount of pool memory the process uses. Most processes have more paged pool than nonpaged pool requirements. |
Peak Working Set (Memory) [PeakWorkingSet] | Shows the maximum amount of memory the process used, including both the private working set and the nonprivate working set. If peak memory is exceptionally large, this can indicate a memory leak. |
PF Delta | Shows the change in the number of page faults for the process recorded since the last update. As with memory usage, you might see an increase in page faults when a process is active and then a decrease as activity slows. |
PID [Id] | Shows the run-time identification number of the process. |
Session ID [SessionId] | Shows the identification number user (session) within which the process is running. This corresponds to the ID value listed on the Users tab. |
Shows the number of threads that the process is using. Most server applications are multithreaded, which allows concurrent execution of process requests. Some applications can dynamically control the number of concurrently executing threads to improve application performance. Too many threads, however, can actually reduce performance because the operating system has to switch thread contexts too frequently. | |
Working Set (Memory) [WorkingSet] | Shows the amount of memory the process is currently using, including both the private working set and the nonprivate working set. The private working set is memory the process is using that cannot be shared with other processes. The nonprivate working set is memory the process is using that can be shared with other processes. If memory usage for a process slowly grows over time and doesn’t go back to the baseline value, this can indicate a memory leak. |
Working Set Delta (Memory) | Shows the change in memory usage for the process recorded since the last update. A constantly changing memory delta can indicate that a process is in use, but it could also indicate a problem. Generally, the memory delta might show increasing memory usage when a process is being used and then show a negative delta (indicated by parentheses in Task Manager) as activity slows. |
At a Windows PowerShell prompt, you can get key stats for all processes by following these steps:
Run all the processes on the server and store them in the $a variable by entering:
$a = get-process
Use the InputObject parameter to pass the process objects stored in $a to get-process and then pass the objects to the format-table cmdlet along with the list of properties you want to see by entering:
get-process -inputobject $a | format-table –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path
Note
The order of the properties in the comma-separated list determines the display order. If you want to change the display order, just move the property to a different position in the list.
When you know the process you want to examine, you don’t need to use this multistep procedure. Just enter the name of the process without the .exe or .dll instead of using –inputobject $a. In this example, you list details about the Explorer process:
get-process explorer | format-list –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path
You can enter part of a process name and use an asterisk as a wildcard to match a partial name. In this example, get-process lists any process with a name that starts with exp:
get-process exp* | format-list –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path
Some interesting additional properties you can use with get-process include the following:
MinWorkingSet. The minimum amount of working set memory used by the process
Modules. The executables and dynamically linked libraries used by the process
PeakVirtualMemorySize. The peak amount of virtual memory used by the process
PriorityBoostEnabled. A Boolean value that indicates whether the process’s PriorityBoost feature is enabled
PriorityClass. The priority class of the process
PrivilegedProcessorTime. The amount of kernel-mode usage time for the process
ProcessorAffinity. The processor affinity setting for the process
Responding. A Boolean value that indicates whether the process responded when tested
StartTime. The date and time the process was started
UserProcessorTime. The amount of user-mode usage time for the process
Description. A description of the process
FileVersion. The file version of the executable of the process
In Task Manager, you can stop processes that you suspect aren’t running properly. To do this, press and hold or right-click the process and choose End Process to stop the process or End Process Tree to stop the process and any other processes it started. To stop a process at a Windows PowerShell prompt, you can use stop-process. The best way to use stop-process is to identity the process ID of the process that you want to stop rather than a process name. This ensures that you stop only the intended process rather than all instances of processes with a particular process name. By using the –confirm parameter, you should also have stop-process prompt you to confirm how you want to proceed. In the following example, you stop the process with the process ID 4524:
stop-process –id 4524 –confirm
As you are confirming this action and passing through the output, you see a prompt asking you to confirm. You can then:
Press Y to answer Yes and confirm that you want to perform the action and continue.
Press A to answer Yes to all prompts and confirm that you want to perform all actions without further prompting.
Press N to answer No and skip the action and continue to the next action.
Press L to answer No to all prompts and confirm that you do not want to perform any actions.
Press S to suspend the pipeline and return to the command prompt. To return to the pipeline later, type exit.
You can view information about services running on a system by using the Services tab of Task Manager or by running get-service. By default, the Services tab shows all services configured on the system whether they are running, stopped, or in a different state. As shown in Figure 10-13, services are listed by name, process ID (PID), description, status, and group.
Because multiple services typically run under the same process ID, you can quickly sort services by their associated process ID by tapping or clicking the related column heading. You can tap or click the Status column heading to sort services according to their status as Running or Stopped. If you press and hold or right-click a service’s listing in Task Manager, you display a shortcut menu that enables you to start a stopped service, stop a started service, or go to the related process on the Details tab.
Note
You also can work with services by using the Services pane in Server Manager, the Services node in Computer Management, or the Services console.
The Group column provides additional information about related identities or service host contexts under which a service runs. Services running an identity with a restriction have the restriction appended. For example, a service running under the Local Service identity might be listed as LocalServiceNoNetwork to indicate that the service has no network access, or as LocalSystemNetworkRestricted to indicate that the service has restricted access to the network.
Services that have svchost.exe list their associated context for the –k parameter. For example, the RemoteRegistry service runs with the svchost.exe –k regsvc command line, and you see an entry of regsvc in the Group column for this service.
At a Windows PowerShell prompt, you can get the status of configured services just by entering get-service. By default, only the service status, internal name, and display name are shown. Additional properties that you can display include:
CanPauseAndContinue. Indicates whether the service can be paused and resumed
CanStop. Indicates whether you can stop the service
DependentServices. Lists the services that depend on this service
ServicesDependedOn. Lists the services on which this service depends
At a Windows PowerShell prompt, you can get the available details for all services by following these steps:
Run all the services on the server and store them in the $a variable by entering:
$a = get-service
Use the –InputObject parameter to pass the service objects stored in $a to get-service and then pass the objects to the format-table cmdlet along with the list of properties you want to see by entering:
get-service -inputobject $a | format-table –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status
When you know the service you want to examine, you don’t need to use this multistep procedure. Just enter the internal name of the process instead of using –inputobject $a. In this example, you list details about the TermService process:
get-service TermService | format-list –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status
You can enter part of a service name by using an asterisk as a wildcard to match a partial name. In this example, get-service lists any service with a name that starts with term:
get-service Term* | format-list –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status
To list services by display name, use the –displayname parameter and enclose the display name in quotation marks, as shown here:
get-service –displayname "Remote Desktop Services" | format-list –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status
You can use the following cmdlets to manage services:
Suspend-Service. Pauses a service
Resume-Service. Resumes a paused service
Start-Service. Starts a stopped service
Stop-Service. Stops a started service
Restart-Service. Stops and then starts a service
Typically, you use Restart-Service when you suspect a service is having a problem and you want to reset it.
On the Performance tab, you can view the current usage of a computer’s network connections. When you select the Performance tab, each enabled network connection is listed by name in the left pane along with either a summary view or a summary graph view of current activity. If you select a network connection in the left pane, as shown in Figure 10-14, the main window provides more detailed information about the connection’s current usage.
The adapter name is listed above the graph, as is the manufacturer name and model. The graph shows the selected network connection’s throughput with send and receive activity plotted separately over time. As the legend below the graph shows, send activity is plotted with a dashed line, and receive activity is plotted with a solid line. Also shown are the current send and receive throughput, scaled according to current activity levels. With this in mind, if there is little current activity, you see activity plotted in Kbps. As activity increases, you might see activity plotted in Mbps or even Gbps.
You can also get more detailed information for a network connection. This information is useful for troubleshooting. If you tap or click the graph and choose View Network Details, you open a dialog box you can use to add columns for summary statistics to the Networking tab. Table 10-2 summarizes the key network statistics available.
Table 10-2. Network statistics and how they can be used
Column Name | Description |
|---|---|
Shows the percentage of the current connection bandwidth used by traffic sent from the system. | |
Bytes Received Throughput | Shows the percentage of the current connection bandwidth used by traffic received by the system. |
Bytes Throughput | Shows the percentage of the current connection bandwidth used for all traffic on the network adapter. If this shows 50 percent or more utilization consistently, you’ll want to monitor the system more closely and consider adding network adapters. |
Bytes Sent | Shows the cumulative total bytes sent on the connection since the system booted. |
Bytes Received | Shows the cumulative total bytes received on the connection since the system booted. |
Bytes | Shows the cumulative total bytes on the connection since the system booted. |
Unicasts | Shows the cumulative number of unicast packets received or sent since the system booted. |
Unicasts Sent | Shows the total packets sent by unicast since the system booted. |
Unicasts Received | Shows the total packets received by unicast since the system booted. |
Nonunicasts | Shows the total number of broadcast packets sent or received since the system booted. Too much broadcast traffic on the network can be an indicator of networking problems. If you see a lot of nonunicast traffic, monitor the amount received during the refresh interval. |
Nonunicasts Sent | Shows the total broadcast packets sent since the system booted. |
Nonunicasts Received | Shows the total broadcast packets received since the system booted. |
Members of the Administrators group and any users to whom you specifically grant remote access can connect to systems by using Remote Desktop Services or a Remote Desktop Connection. Both techniques allow users to access systems remotely and use the systems as if they were sitting at the keyboard. In the standard configuration, however, remote access is disabled. You can enable and configure the remote access feature by using Server Manager. In Server Manager, select Local Server in the left pane and then tap or click the Enabled or Disabled link for Remote Desktop. This opens the System Properties dialog box to the Remote tab, as shown in Figure 10-15.
In the Remote Desktop panel, select Allow Remote Connections To This Computer. Before you tap or click OK, select the Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication check box if you want to ensure that only more secure connections using Network Level Authentication are permitted. Windows Vista, Windows Server 2008, and later releases of Windows have Network Level Authentication. Most earlier releases of Windows do not.
With Remote Desktop, Windows Server 2012 R2 allows two active console sessions at one time. Console sessions provide full functionality for administration. If you try to log on with a new console session and two others are already logged on to the console, the following happens:
You see a prompt stating that too many users are logged on. You can then select a user session to disconnect, or you can tap or click Cancel to exit the session. If you select the Force Disconnect Of This User check box prior to selecting a user, the first user is forcibly disconnected. A user with a Remote Desktop Connection sees a prompt stating, “Your Remote Desktop Services session has ended. A user with a local logon is logged off.”
If you elect to disconnect a user, that user sees a prompt from Remote Desktop Connection stating that you have requested to disconnect her session. The user has 30 seconds to respond by either tapping or clicking OK to disconnect immediately or tapping or clicking Cancel to deny the request.
If 30 seconds elapses without a response, the user is disconnected automatically. A user with a Remote Desktop Connection sees a prompt stating, “Your Remote Desktop Services session has ended. A user with a local logon is logged off.”
If the user selects Cancel when prompted to disconnect her session, she will see a prompt stating that her request has been denied.
As shown in Figure 10-16, the Users tab lists user connections according to the following factors:
User. The logon name of the user account, such as Wrstanek or Administrator. If you want to see the logon domain and the logon name, select Show Full Account Name on the Options menu.
Status. The status of the connection. This can be either Blank for active connections or Disconnected for connections that have been disconnected.
CPU. Lists the percentage of CPU utilization for the user (across all physical and logical processors). The bold value in the column header represents the total CPU utilization for the server (across all physical and logical processors).
Memory. Lists the total physical memory reserved for the user. The bold value in the column header represents the total physical memory utilization for the server.
CPU and memory utilization details are new for Windows Server 2012 R2 and are helpful for troubleshooting performance issues related to logged-on users. The total utilization value is listed above the column heading, and individual utilization values for each logged-on user are listed below it.
You can add other columns by pressing and holding or right-clicking any column header and then selecting options for the additional columns to display. Other available columns are as follows:
ID. The session ID. All user connections have a unique session ID.
Client Name. The name of the computer from which an active user is connecting. This field is blank for console sessions (and for disconnected sessions).
Session. The type of session. Console is used for users logged on locally. The value is blank for disconnected sessions. Otherwise, this column indicates the connection type and protocol, such as RDP-TCP for a connection using the Remote Desktop Protocol (RDP) with Transmission Control Protocol (TCP) as the transport protocol.
The Users tab can help you determine who is logged on and whether that user’s status is active or disconnected. Press and hold or right-click an active session, and you can choose Send Message to send a console message to the user. This message is displayed on the screen of that user’s session.
If you must end a user session, you can do this in one of two ways. Pressing and holding or right-clicking the session and choosing Sign Off logs off the user using the normal logoff process. This allows application data and system state information to be saved as it would be during a normal logoff. Pressing and holding or right-clicking the session and choosing Disconnect disconnects a user, but the user’s session isn’t affected.
You can also connect to or sign off an inactive session. To connect to the session, press and hold or right-click the inactive session and then choose Connect. When prompted, provide the user’s password. To log off the user, press and hold or right-click the inactive session and then choose Sign Off. When prompted, confirm that you want to sign out the user, which might cause the user’s unsaved data to be lost.
The Windows operating system defines an event as any significant occurrence in the operating system or an application that should be recorded for tracking purposes. Informational events can be tracked, as can events that record warnings, errors, and auditing. Critical errors that deserve immediate attention, such as when the server has run out of disk space or memory, are recorded in the logs and displayed on screen.
The Windows service that controls event logging is the Event Log service. When this service is started, events are recorded in one of the available event logs. To work with event logs remotely, remote management and inbound exceptions for Remote Event Log Management must be enabled. For more information, see “Enabling remote management” in Chapter 4.
Two general types of log files are used:
Windows logs. Logs that the operating system uses to record general system events related to applications, security, setup, and system components
Applications and services logs. Logs that specific applications and services use to record application-specific or service-specific events
Windows logs you see include:
Application. Contains events logged by applications. You find events in this log for Microsoft Exchange Server, SQL Server, Internet Information Services (IIS), and other installed applications. It is also used to record events from printers and, if you configured alert logging, alerts. The default location is %SystemRoot%System32WinevtLogsApplication.Evtx. The default log size is 20,480 KBs.
Forwarded Events. When you configure event forwarding, this log records forwarded events from other servers. The default location is %SystemRoot%System32ConfigForwardedEvents.Evtx. The default log size is 20,480 KBs.
Security. Contains events you set for auditing with local or global group policies. Depending on the auditing configuration, you find events for logon, logoff, privilege use, and shutdown in addition to general system events such as the loading of the authentication package by the Local Security Authority (LSA). The default location is %SystemRoot%System32WinevtLogsSecurity.Evtx. The default log size is 131,072 KBs on domain controllers and 20,480 KBs on member servers.
Note
Only administrators are granted access to the Security log by default. If other users need to access the Security log, you must specifically grant them the Manage Auditing And The Security Log user rights. You can learn more about assigning user rights in Chapter 14, “Implementing Active Directory Domain Services,” in Windows Server 2012 R2 Inside Out: Services, Security, & Infrastructure (Microsoft Press, 2014).
Setup. Records events logged by the operating system or its components during setup and installation. The default location is %SystemRoot%System32WinevtLogsSetup.Evtx. The default log size is 1028 KBs.
System. Contains events logged by Windows Server and its components. You should routinely check this log for warnings and errors, especially those related to the failure of a service to start at bootup or the improper configuration of a service. The default location is %SystemRoot%System32WinevtLogsSystem.Evtx. The default log size is 20,480 KBs.
Applications and services logs you see include:
DFS Replication. Records distributed file system (DFS) replication activities. The default location is %SystemRoot%System32WinevtLogsDfs Replication.Evtx. The default log size is 15,168 KBs.
Directory Service. Contains events logged by Active Directory. The primary events relate to the Active Directory database and global catalogs. You find details on database consistency checks, online defragmentation, and updates. The default location is %SystemRoot%System32WinevtLogsDirectory Service.Evtx.
DNS Server. Contains Domain Name System (DNS) queries, responses, and other DNS activities. You might also find details on activities that relate to DNS integration with Active Directory. The default location is %SystemRoot%System32WinevtLogsDNS Server.Evtx. The default log size is 16,384 KBs.
File Replication Service. Contains events logged by the File Replication Service, a service used to replicate Active Directory changes to other domain controllers. You find details on any important events that took place while a domain controller attempted to update other domain controllers. The default location is %SystemRoot%System32WinevtLogsFile Replication Service.Evtx. The default log size is 20,480 KBs.
Hardware Events. When hardware subsystem event reporting is configured, records hardware events reported to the operating system. The default location is %SystemRoot%System32ConfigHardwareEvents.Evtx. The default log size is 20,480 KBs.
MicrosoftWindows. Logs that track events related to specific Windows services and features. Logs are organized by component type and event category. Operational logs track events generated by the standard operations of the related component. In some cases, you see supplemental logs for analysis, debugging, and recording administration-related tasks. Most of the related logs have a fixed default log size of 1,028 KBs.
By default, the logs are sized as appropriate for the type of system you are working with and its configuration. In a standard configuration of Windows Server 2012 R2, most logs are sized as listed previously. As shown, most logs have a fairly large maximum size. This includes the DNS Server, System, and Application logs. Because they are less critical, the Directory Service and File Replication Service logs on domain controllers have a maximum size of 1,028 KBs. Because the Security log is so important, it is usually configured with a maximum size of 131,072 KBs on domain controllers and 20,480 KBs on member servers. Primarily, this is to allow the server to record a complete security audit trail when the server is under attack and a large number of security events are generated.
Windows Server 2012 R2 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. If desired, you can have Windows automatically archive logs. In this configuration, when the maximum file size is reached, Windows archives the events by saving a copy of the current log in the default directory. Windows then creates a new log for storing current events.
You can also configure logs so that Windows never overwrites events. However, the problem with doing it that way is that when the maximum size is reached, events can’t be overwritten, and the system generates an error message telling you that such and such event log is full each time it tries to write an event—and you can quickly get to where dozens of these errors are displayed.
Note
You can also control the log configuration through Group Policy. This means changes you make in Group Policy, in turn, could change the maximum log size and which action to take when the maximum log size is reached. For more information about Group Policy, see Windows Server 2012 R2 Inside Out: Services, Security, & Infrastructure.
You can work with event logs in several ways. When you are working with Server Manager and select the Local Server node, the All Servers node, or a server group node, the right pane will have an Events panel. When you select the server you want to work with in the Servers panel, its events are listed in the Events panel, as shown in Figure 10-17. You can use this panel as follows:
For a server you are logged on to locally, you can use the Events panel in the Local Server node or the All Servers node to view recent warning and error events in the application and system logs.
Automatically created server group nodes are organized by server roles, such as Active Directory Domain Services (AD DS) or DNS, and you can view recent error and warning events in logs related to the server role if applicable. Not all roles have associated logs, but some roles, such as AD DS, have multiple associated logs.
For custom server groups that you or other administrators create, you can use the related Events panel to view recent warning and error events in the application and system logs.
Figure 10-17. Track errors and warnings for servers that have been added for management in Server Manager.
When you want to review all tracked events, you use Event Viewer, shown in Figure 10-18. Event Viewer is available from the Tools menu in Server Manager as a preconfigured console of the same name or as a standard add-in for the Computer Management console. To open Computer Management and access its Event Viewer add-in, select Computer Management from the Tools menu in Server Manager and then select Event Viewer under System Tools.
Event Viewer has custom views and standard views of logs. By using the custom Administrative Events view, you can view all errors and warnings for all logs. By using your own custom views, you can create views to expose particular types and categories of events from any logs you want to track. You can also access event logs directly to view all the events they contain.
You can use the following techniques to work with logs and custom views:
To view all errors and warnings for all logs, expand Custom Views and then select Administrative Events. In the main pane, you should see a list of all warning and error events for the server.
To view all errors and warnings for a specific server role, expand Custom Views, expand Server Roles, and then select the role to view. In the main pane, you should see a list of all events for the selected role.
To view summary information for Windows logs, select the Windows Logs node. You then see a list of available logs by name and type along with the number of events and log size.
To view summary information for Applications and Services logs, select the Applications And Services Logs node. You then see a list of available logs by name and type along with the number of events and log size.
To view events in a specific log, expand the Windows Logs node, the Applications And Services Logs node, or both nodes. Select the log you want to view, such as Application or System.
As Figure 10-19 shows, individual event entries provide an overview of the event that took place. Each event is recorded according to the date and time the event took place and by the event level. For all the logs except Security, the event levels are classified as Information, Warning, or Error. For the Security log, the event levels are classified as Audit Success or Audit Failure. These event levels have the following meanings:
Information. Generally relates to a successful action such as the success of a service starting up. If you configured Alert logging, the alerts are also recorded with this event type to show they’ve been triggered.
Warning. Describes events that aren’t critical but could be useful in preventing future system problems. Most warnings should be examined to determine whether a preventive measure should be taken.
Error. Indicates a noncritical error or significant problem occurred, such as the failure of a service to start. All errors should be examined to determine what corrective measure should be taken to prevent the error from recurring.
Critical. Indicates a critical error or highly significant problem occurred, such as the Cluster service shutting down because a quorum was lost. All critical errors should be examined to determine what corrective measure should be taken to prevent the critical error from recurring.
Audit Success. Describes an audited security event that completed as requested, such as when a user logs on or logs off successfully.
Audit Failure. Describes an audited security event that didn’t complete as requested, such as when a user tries to log on and fails. Audit failure events can be useful in tracking down security issues.
Note
Any attempt by users, services, or applications to perform a task for which they don’t have appropriate permissions can be recorded as an audit failure. If someone is trying to break into a system, you might see a large number of audit failure events. If a service or application doesn’t have the permissions it needs to perform certain tasks, you might also see a large number of audit failure events.
Other pertinent information recorded with an event includes the event source, event ID, task category, user, and computer. The Source column lists the application, service, or component that logged the event. The Task Category column details the category of the event and is sometimes used to describe the event further. The Event ID column provides an identifier for the specific event that occurred. You can sometimes look up events in the Microsoft Knowledge Base to get more detailed information.
When you select an event, Event Viewer shows additional details in the lower pane, including a general description of the event and other fields of information. The User field shows the name of the user who was logged on when the event occurred (if applicable). If a server process triggered the event, the user name usually is that of the special identity that caused the event. This includes the special identities Anonymous Logon, Local Service, Network Service, and System. Although events can have no user associated with them, they can also be associated with a specific user who was logged on at the time the event occurred.
The Computer field shows the name of the computer that caused the event to occur. Because you are working with a log from a particular computer, this is usually the account name of that computer. However, this is not always the case. Some events can be triggered because of other computers on the network. Some events triggered by the local machine are stored with the computer name as MACHINENAME. For some events, any binary data or error code generated by the event is available on the Details tab.
You can double-tap or double-click any event to open its Properties dialog box. (See Figure 10-20.) The Properties dialog box provides the information that is available in the details pane and a Copy button you can click to copy the event data to the Clipboard. Most of the event descriptions aren’t easy to understand, so if you need a little help deciphering the event, tap or click Copy. You can then paste the event description into an email message to another administrator.
You can use Event Viewer to view events on other computers on your network. Start Event Viewer, press and hold or right-click Event Viewer (Local) in the left pane, and then choose Connect To Another Computer. In the Select Computer dialog box, shown in Figure 10-21, type the domain name or Internet Protocol (IP) address of the computer for which you want to view the event log and then tap or click OK. Or you can tap or click Browse to search for the computer you want to use. If you need to specify logon credentials, select the Connect As Another User check box and then tap or click the Set User button. Afterward, type the user name and password to use for logon and then tap or click OK.
Note
Keep in mind that you must be logged on as an administrator or be a member of the Administrators group to view events on a remote computer. You must also configure Windows Firewall on the local computer to allow your outbound connection and on the remote computer to allow your inbound connection.
Event Viewer provides several ways for you to organize and search for events in the logs. You can sort events based on date or other stored information. You can search a particular event log for specific events and view events one at a time. You can also filter events so that only the specific events you want to see are shown.
By default, logs are sorted so that the newest events are listed first. If you’d rather see the oldest events first, you can do this by tapping or clicking View, pointing to Sort By, and then selecting Date And Time, or you can just tap or click the Date And Time column header. This change must be made for each log in which you want to see the oldest events first.
You can also sort events based on information in other columns. For example, if you wanted to sort the events based on the event level, you would tap or click the Level column header.
By using the Find feature, you can search for events within a selected log and view matching events one at a time. Say, for instance, a Microsoft Knowledge Base article says to look for an event with such and such an event source, and you want to search for it quickly. You can use the Find feature to do this.
To search, press and hold or right-click an event log and select Find. In the Find dialog box, type the search text to match and then tap or click Find Next. The first event that matches the search criteria is highlighted in the log. You can double-tap or double-click the event to get more detailed information or tap or click Find Next to find the next match.
The Find option works well if you want to perform quick searches, such as for a single event of a specific type. If you want to perform an extended search, however, such as when you want to review all events of a particular type, there’s a better way to do it, and that’s to create a filtered view so that only the specific events you want to see are shown.
Windows creates several filtered views of the event logs for you automatically. In Event Viewer, filtered views are listed under the Custom Views node. When you select the Administrative Events node, you see a list of all errors and warnings for all logs. When you expand the Server Roles node and then select a role-specific view, you see a list of all events for the selected role.
You can create and work with filtered views in several ways:
Create a custom view by filtering the events in a specific log and save this filtered view for later use. Just press and hold or right-click the log and select Create Custom View. This opens the Create Custom View dialog box, as shown in Figure 10-22. Choose the filter options you want to use, as described in Table 10-3, and then tap or click OK. If you are trying to create a filter for more than 10 logs (and really want to do this), tap or click Yes when warned about the possible performance impact. In the Save Filter To Custom View dialog box, type a name and description for the view. Select where to save the custom view. By default, custom views are saved under the Custom view node. You can create a new node by tapping or clicking New Folder, entering the name of the new folder, and then tapping or clicking OK. Tap or click OK to close the Save Filter To Custom View dialog box.
Create a temporary view by filtering the events in a specific log. Just select the log and then press and hold or right-click and select Filter Current Log. This opens the Filter Current Log dialog box, as shown in Figure 10-23. Choose the filter options you want to use, as described in Table 10-3, and then tap or click OK. After you apply the filter, only events with the options you specify are displayed in the selected event log. For the rest of the current Event Viewer session, the filter is applied to the selected log, and you know this because the upper portion of the main pane shows you are working with a filtered log.
Table 10-3. Find and filter options for event logging
Option | Description |
|---|---|
Computer | Includes all events associated with a particular computer. Usually, this is the name of the computer whose logs you are working with. |
Event ID | Includes or excludes events with the event IDs you specify. Enter ID numbers or ID ranges separated by commas. To exclude an event, enter a minus sign before the event ID. |
Event Level | Enables you to include or exclude events by level. The most important event levels are warnings, which indicate that something might pose a future problem and might need to be examined, and errors, which indicate a fatal error or significant problem occurred. |
Includes events only from specified sources, such as an application, service, or component that logged the event. | |
Event Logs | Includes events only from specified logs. When working with a custom log view, the log you press and hold or right-click is selected automatically, and you can’t choose additional logs. |
Logged | With filters, all events from the first to the last are displayed by default. You can choose to include events from the Last Hour, Last 12 Hours, Last 24 Hours, Last 7 Days, Last 30 Days, or a custom range. |
Task Category | Includes events only within a given category. The categories available change based on the event source you choose. |
User | Includes events associated with a particular user account that was logged on when the event was triggered. Server processes can log events with the special identities Anonymous Logon, Local Service, Network Service, and System. Not all events have a user associated with them. |
You can apply a filter to a custom view as well. To filter a custom view, press and hold or right-click the view and then select Filter Current Custom View. Choose the filter options you want to use and then tap or click OK. For the rest of the current Event Viewer session, the filter is applied to the selected view, and you know this because the upper portion of the main pane shows you are working with a filtered view.
If you later want to clear a filter that is applied to a view or log, press and hold or right-click the log and select Clear Filter. Another option is to save the filtered view as a custom view so that you can access it the next time you open Event Viewer. To do this, press and hold or right-click the filtered log or custom view and select Save Filter To Custom View. Afterward, type a name and description for the view. Select where to save the custom view. By default, custom views are saved under the Custom view node. You can create a new node by tapping or clicking New Folder, entering the name of the new folder, and then tapping or clicking OK. Tap or click OK to close the Save Filter To Custom View dialog box.
In most cases, you want to have several months’ worth of log data available in case you must go back through the logs to troubleshoot a problem. One way to do this, of course, is to set the log size so that it is large enough to accommodate this. However, this usually isn’t practical because individual logs can grow quite large. So, as part of your routine, you might want to archive the log files on critical systems periodically, such as for domain controllers or application servers.
To archive logs automatically, press and hold or right-click the log and select Properties. In the Properties dialog box, select Archive The Log When Full, Do Not Overwrite Events. To create a log archive manually, press and hold or right-click the log in the left pane of Event Viewer and then select Save All Events As. In the Save As dialog box, select a directory and a log file name. Event Log (*.evtx) is the default file type. This saves the file in event log format for access in Event Viewer, but it can be used only when saving logs from the local computer. You can also select .txt to save the log in tab-delimited text format, such as for accessing it in a text editor. For importing the log data into a spreadsheet or database, select .csv to save the log in comma-delimited text format. Select .xml to save the log in Extensible Markup Language (XML) format. After you select a log format, tap or click Save.
Logs saved in Event Log format (.evtx) can be reopened in Event Viewer at any time. To do this, press and hold or right-click the Event Viewer node in the left pane of Event Viewer and choose Open Saved Log. Use the Open Saved Log dialog box to select a directory and a log file. By default, the Event Log Files format is selected in the File Name list. This ensures that logs saved as .evtx, .evt, and .etl are listed. You can also filter the list by selecting a specific file type. When you tap or click Open, Windows opens the Open Saved Log dialog box. Type a name and description for the saved log. Select where to open the log in Event Viewer. By default, saved logs are listed under Saved Logs. You can create a new node by tapping or clicking New Folder, entering the name of the new folder, and then tapping or clicking OK. Tap or click Open to close the Open Saved Log dialog box. Windows loads the saved event log into Event Viewer and adds a related entry to the list of available logs in the left pane, as shown in Figure 10-24.
If you later want to remove the saved log from Event Viewer, press and hold or right-click the log and select Delete. When prompted to confirm, tap or click Yes. The saved log file still exists in its original location on the hard disk but no longer is displayed in Event Viewer.
When you are working with a specific system or trying to track down issues, Event Viewer is an excellent tool to use and should be your tool of choice. As you’ve seen, Event Viewer can also be used to access logs on remote systems. No single command-line tool included with Windows Server 2012 R2 provides the same level of functionality, although the Windows PowerShell cmdlet get-eventlog does come close. You can use get-eventlog to obtain detailed information from the event logs.
Because get-eventlog is a text-based rather than a graphical utility, it will, in most cases, use fewer system resources than Event Viewer. On systems for which you are very concerned about resource usage and the possibility of bogging down a system through your interactive logon, you might initially want to track events by using get-eventlog.
As Figure 10-25 shows, the standard output of get-eventlog provides the essential information about events. To run get-eventlog, access a Windows PowerShell prompt and then type get-eventlog followed by the name of the event log you want to examine, such as application. If the log name contains spaces, you must enclose the log name in quotation marks, such as get-eventlog “directory service”.
Any Windows log or Applications And Services log that you can work with in Event Viewer is accessible at the command line. When you follow get-eventlog with the log name, the –logname parameter is implied. You can also specify the –logname parameter directly, as shown in this example:
get-eventlog –logname security
By default, get-eventlog returns every event in the specified event log from the newest to the oldest. In most cases, this is simply too much information, and you need to filter the events to get a usable amount of data. One way to filter the event log is to specify that you want to see details about only the newest events. For example, you might want to see only the 50 or 500 newest events in a log.
By using the –newest parameter, you can return only the newest events. The following example lists the 50 newest events in the security log:
get-eventlog security -newest 50
As shown in Figure 10-25, get-eventlog displays several properties in column format, including Index, TimeGenerated (listed with the column heading Time), Source, InstanceID, EntryType (listed with the column heading Type), and Message. To help make sense of the logs, you might want to group events by type, source, or event ID. When you group events by type, you can more easily separate informational events from critical, warning, and error events. When you group by source, you can more easily track events from specific sources. When you group by event ID, you can more easily correlate the recurrence of specific events.
You can group events by source, eventid, entrytype, and timegenerated, using the following technique:
Another way to work with events is to sort them according to a specific property. You can sort by source, eventid, entrytype, or timegenerated, using the following technique:
Finally, you might also want to match specific text in a specified property. For example, you might want to return only error events. To do this, you would search the EntryType property for occurrences of the word error. Here is an example:
Get the events you want to work with and store them in the $e variable by entering:
$e = get-eventlog -newest 500 -logname application
Use the where-object cmdlet to search for specific text in a named property of the event objects stored in $e. In this example, you match events with the error entry type:
$e | where-object {$_.EntryType -match "error"}
The where-object cmdlet uses a search algorithm that is not case sensitive, meaning you could enter Error, error, or ERROR to match error events. You can also search for warning, critical, and information events. Because where-object considers partial text matches valid, you don’t want to enter the full event type. You could also search for info, crit, or warn, as shown here:
$e = get-eventlog -newest 500 -logname application
$e | where-object {$_.EntryType -match "warn"}You can also use where-object with other event object properties. The following example searches for event sources containing the text .NET:
$e = get-eventlog -newest 500 -logname application
$e | where-object {$_.Source -match ".NET"}The following example searches for event ID 1101:
$e = get-eventlog -newest 500 -logname application
$e | where-object {$_.Source -match "1101"}In an enterprise, you might also want servers to forward specific events to central event-logging servers. To do this, you configure and enable event forwarding on the applicable servers, and then you create subscriptions to the forwarded events on your central event-logging server or servers.
In a domain, you can configure forwarding and collection of forwarded events by following these steps:
To configure forwarding, log on to all source computers and type winrm quickconfig at an elevated command prompt. This creates a WinRM listener on HTTP://* to accept WS-Man requests to any IP address on the source computer. When prompted to confirm, press Y.
To configure collection, type wecutil qc at an elevated command prompt and then press Y when prompted. This starts the Windows Event Collector Service and configures this service to use the delayed-start mode.
Add the computer account of the collector computer to the local Administrators group on each of the source computers. In Local Users And Computers, press and hold or right-click Administrators and select Add To Group. In the Properties dialog box, tap or click Add. In the Select Users, Computers, Or Groups dialog box, tap or click Object Types. In the Object Types dialog box, select Computers and then tap or click OK. In the Select Users, Computers, Or Groups dialog box, type the account name of the collector computer and then tap or click OK twice. Repeat this process as necessary.
You can create a subscription on the central logging server to collect forwarded events by following these steps:
Open Event Viewer and connect to the central event-logging server. Afterward, press and hold or right-click the Subscriptions node and select Create Subscription.
In the Subscription Properties dialog box, shown in Figure 10-26, type a name for the subscription, such as All File Servers. Optionally, enter a description.
The Forwarded Events log is selected as the destination log by default. Generally, this is the log you’ll want to use.
Collector-initiated event forwarding is the easiest to configure and is the default setting. To specify the computers that forward events to the server, tap or click Select Computers. In the Computers dialog box, tap or click Add Domain Computers. In the Select Computer dialog box, type the account name of a computer that is forwarding events and then tap or click OK twice. Repeat this process as necessary.
Tap or click Select Events. In the Query Filter dialog box, select the filter options and logs to use and then tap or click OK.
If you added the computer account of the collector computer to the local Administrators group on each of the source computers, you can use this machine account to collect events. Alternatively, you can use the permissions of a specific user account by doing the following:
Tap or click Advanced. In the Advanced Subscription Settings dialog box, select Specific User and then tap or click User And Password, as shown in Figure 10-27.
Use the dialog box provided to enter the credentials for an account that has read access to the source logs on the source computers. Click OK to close the Credentials dialog box.
Optionally, optimize event delivery to minimize bandwidth usage or to minimize latency.
Optionally, set the transfer protocol and port. With HTTP, which is not secure, the default port is 5985. With HTTPS, which is secure, the default port is 5986.
Click OK to close the Advanced Subscription Settings dialog box.
Tap or click OK to create the subscription. Now when you access the destination log, you see the forwarded events.
