Export (0) Print
Expand All
Expand Minimize

Monitoring and Diagnostics Tools

This section covers:

  • Event Viewer

  • Network Monitor

  • Monitoring performance

  • Disk Defragmenter

On This Page

Event Viewer
How To...
Concepts
Troubleshooting
Network Monitor
Checklist: Monitoring your Network
New Ways to do Familiar Tasks
Best Practices
How To...
Concepts
Troubleshooting
Monitoring Performance
Checklist: Monitoring Performance
New Ways to do Familiar Tasks
Best Practices
How To...
Concepts
Troubleshooting
Disk Defragmenter
Checklist: Defragmenting Disks
Best Practices
How To...
Concepts
Troubleshooting

Event Viewer

Event Viewer allows users to monitor events recorded in the Application, Security, and System logs:

  • For help with specific tasks, see How to

  • For general background information, see Concepts

  • For problem-solving instructions, see Troubleshooting

How To...

  • View event logs

  • Manage event logs

  • Customize event logs

  • Use the security log

View event logs

  • Refresh an event log

  • View more details about an event

  • Add another view of an event log

  • Search for specific events

  • Select another computer

To refresh an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to refresh.

  3. On the Action menu, click Refresh.

Notes:

  • You must be logged on as an administrator or as a member of the Administrators group to refresh the security log.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • The Refresh command is not available for archived logs because those files can no longer be updated.

  • When you open a log, Event Viewer displays the current information for the log. While you view the log, the information is not updated unless you refresh it. If you switch to another log and then return to the first log, the first log is automatically refreshed.

To view more details about an event

  1. Open Event Viewer.

  2. In the console tree, click the log you want.

  3. In the details pane, click the event you want.

  4. On the Action menu, click Properties.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • To view binary data as characters, in the Data box, click Bytes. To view binary data as DWORDS, click Words.

  • To view details about the previous or next event, click the up or down arrow. To copy the details of an event, click Copy.

  • Not all events generate binary data. Binary data can be interpreted by an experienced programmer or a support technician familiar with the source application.

  • To retain the event description in binary data form, archive logs in the log file format (*.evt). Saving logs in text format (*.txt) or comma-delimited text format (*.csv) discards the binary data.

To add another view of an event log

  1. Open Event Viewer.

  2. In the console tree, click the log of which you want to add another view.

  3. On the Action menu, click New Log View.

  4. On the Action menu, click Rename.

  5. Type the name as you want it to appear in the console tree and press ENTER.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • Log views added to the console tree can be managed and customized in the same way as the default logs.

To search for specific types of events

  1. Open Event Viewer.

  2. In the console tree, click the log you want to search.

  3. On the View menu, click Find.

  4. Under Types, click the types of events you want to find.

  5. In Event source, Category, Event ID, User, Computer, or Description, specify additional information about the event or events you want to find.

  6. Click Find Next.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • In Description, you can type any text that matches a portion of an event record description. For more information about the other fields, right-click the name of the field, and then click What's This?.

  • To restore the default search criteria, click Restore Defaults before clicking Find Next.

  • Your search parameters remain in Find throughout the current session. The default settings are restored the next time you start Event Viewer.

  • If you are looking for groups of events instead of a small number of individual events, you can also filter the log.

To select another computer

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the Console menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. Click Event Viewer, and then click Add.

  5. Click Another computer, and then enter the path and name of the computer, for example, \\domainname\computername.

  6. Click Finish, click Close, and then click OK.

Notes:

  • If step 1 does not open a Microsoft Management Console (MMC) window, then MMC may not be available on your computer. If an MMC window opens but the Console menu or the Add/Remove Snap-In command is not available, then MMC is running in User mode and snap-ins cannot be added or removed.

  • The other computer can be a workstation running Windows 2000 Professional or Windows NT Workstation, a server or domain controller running Windows 2000 Server or Windows NT Server, or a LAN Manager 2.x server.

  • If the new computer requires a low-speed connection, right-click the log you want to view, and then click Properties. On the General tab, click Low speed connection.

Manage event logs

  • Clear an event log

  • Archive an event log

  • Open an archived event log

  • Free an event log when it is full

To clear an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to clear.

  3. On the Action menu, click Clear all Events.

  4. Click Yes to save the log before clearing it.

    Click No to permanently discard the current event records and start recording new events.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group to clear an event log.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • After you clear a log, only new events will appear in the log.

  • If you select Do not overwrite events (clear log manually) in the Properties dialog box of an active log, you must periodically clear the log either when the log reaches a certain size or when a message notifies you that the log is full.

  • You cannot clear archived logs; instead, delete the archived log file.

To archive an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to archive.

  3. On the Action menu, click Save Log File As.

  4. In File name, enter a name for the archived log file.

  5. In Save as type, click a file format, and then click Save.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • If you archive a log in log-file format, you can reopen it in Event Viewer. Logs saved as event log files (*.evt) retain the binary data for each event recorded.

  • If you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data.

  • When you archive a log file, the entire log is saved, regardless of filtering options.

  • The sort order is not retained when logs are saved.

  • Archiving has no effect on the current contents of the active log. To clear the log, click Action, and then click Clear all Events.

To open an archived event log

  1. Open Event Viewer.

  2. On the Action menu, click Open Log File.

  3. Click the file you want to open. You may need to search for the drive or folder that contains the document.

  4. In Log type, select the type of log to be opened.

  5. In Display name, enter the name as you want it to appear in the console tree, and then click Open.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • You can view an archived file in Event Viewer only if the log is saved in log file format (*.evt).

  • You cannot click Refresh or Clear all Events to update the display or to clear an archived log.

  • To remove an archived log file from your system, delete the file in Windows Explorer.

To free an event log when it is full

  1. Open Event Viewer.

  2. In the console tree, click the log you want to free.

  3. On the Action menu, click Clear all Events.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group to free an event log.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • When a log is full, it stops recording new events. Clearing the log is one way to free the log and start recording new events.

  • You can also free a log and start recording new events by overwriting events. To overwrite events, on the Action menu, click Properties, and then click Overwrite events as needed. This ensures that all new events are written to the log, even when the log is full.

  • You can also start logging new events by increasing the maximum log size. To increase the log size, on the Action menu, click Properties, and then increase the Maximum log size.

Customize event logs

  • Specify a sort order in an event log

  • Filter events in an event log

  • Set event logging options

  • Reset an event log to default settings

  • Change the event log size

To specify a sort order in an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to sort.

  3. Click the column heading you want to sort by.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • To reverse the sort order, click the column heading a second time.

  • To sort chronologically, on the View menu, click Newest First or Oldest First. The default is Newest First.

  • When a log is archived, the sort order is not saved.

To filter events in an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to filter.

  3. On the View menu, click Filter.

  4. On the Filter tab, specify the characteristics you want.

Notes:

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • To return to the default criteria, click Restore Defaults.

  • To turn off event filtering, on the View menu click All Records.

To set event logging options

  1. Open Event Viewer.

  2. In the console tree, click the log you want to set options for.

  3. On the Action menu, click Properties.

  4. On the General tab, specify the options you want.

Notes:

  • You must be logged on as administrator or as a member of the Administrators group in order to complete this procedure.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • To restore the default settings, click Restore Defaults.

  • To clear the log, click Clear Log.

    Under Log size, select one of these options:

    • If you do not want to archive this log, click Overwrite events as needed.

    • If you want to archive the log at scheduled intervals, click Overwrite events older than and specify the appropriate number of days. Be sure that the Maximum log size is large enough to accommodate the interval.

    • If you must retain all the events in the log, click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded.

To reset an event log to default settings

  1. Open Event Viewer.

  2. In the console tree, click the log you want to reset.

  3. On the Action menu, click Properties.

  4. On the General tab, click Default.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group to reset an event log to the default settings.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

To reduce the size of an event log

  1. Open Event Viewer.

  2. In the console tree, click the log you want to change.

  3. On the Action menu, click Properties.

  4. On the General tab, in Maximum log size, specify the new log size in kilobytes.

  5. To put the new setting in effect, click Clear Log.

    If you want to retain the information currently in the log, click Yes when a message appears, asking if you want to save the original log before clearing it, and then click OK.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group to change the size of an event log.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

Use the security log

This section covers:

  • Turn on security logging

  • Turn on security logging for a domain controller

  • Set up auditing of files and folders

  • Specify files and folders to audit

  • Halt the computer when the security log is full

To turn on security logging

  1. Click Start, click Run, type mmc /a, and then click OK.

  2. On the Console menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, click Group Policy, and then click Add.

  4. In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK.

  5. In Local Computer Policy, click Audit Policy. Where?

    L Local Computer Policy

    L Computer Configuration
    L Windows Settings
    L Security Settings
    L Local Policies
    L Audit Policy

  6. In the details pane, click the attribute or event you want to audit.

  7. Click Action, and then click Security.

  8. In Local Security Policy Setting, click the options you want, and then click OK.

  9. Repeat steps 6, 7, and 8 for other events you want to audit.

Notes:

  • You must be logged on as an administrator or as a member of the Administrators group to turn on security logging. Group Policy is available only to administrators.

  • If you have previously saved a console with Group Policy, you can open the saved console and go to step 5.

  • If your computer is connected to a network, security logging may be restricted or disabled by network policy.

  • The security log is limited in size, so carefully select the events to be audited and consider the amount of disk space you are willing to devote to the security log.

  • This procedure applies to Windows 2000 Professional computers, as well as Windows 2000 Server computers running as stand-alone servers or member servers.

  • If security auditing has been enabled on a remote machine, you can view the event logs remotely with Event Viewer. Open an MMC console in author mode, and add Event Viewer to the console. When prompted to specify which computer the snap-in will manage, click Another computer and enter the name of the remote computer.

  • Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do that, create an Organization Unit (OU), add the desired machine account(s) to the OU, and then, using Active Directory Users and Computers, create policy to enable security auditing.

To turn on security logging for a domain controller

  1. Open Active Directory Users and Computers.

  2. In the console tree, click Domain Controllers. Where?

    L Active Directory Users and Computers

    L domain name
    L Domain Controllers

  3. Click Action, and then click Properties.

  4. On the Group Policy tab, click the policy you want to change, and then click Edit.

  5. In the Group Policy window, in the console tree, click Audit Policy. Where?

    L Computer Configuration

    L Windows Settings
    L Security Settings
    L Local Policies
    L Audit Policy

  6. In the details pane, click the attribute or event you want to audit.

  7. Click Action, and then click Security.

  8. In Security policy settings, click the options you want.

  9. Repeat steps 3 and 4 for other events you want to audit.

Notes:

  • To open Active Directory Users and Computers, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  • The security log is limited in size. Select the events to be audited carefully and consider the amount of disk space you are willing to devote to the security log.

  • If security auditing has been enabled on a remote machine, you can view the event logs remotely with Event Viewer. Open an MMC console in author mode, and add Event Viewer to the console. When prompted to specify which computer the snap-in will manage, click Another computer and enter the name of the remote computer.

  • Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do that, create an Organization Unit (OU), add the desired machine account(s) to the OU, and then, using Active Directory Users and Computers, create policy to enable security auditing.

To set up auditing of files and folders

  1. Click Start, click Run, type mmc /a, and then click OK.

  2. On the Console menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, click Group Policy, and then click Add.

  4. In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK.

  5. In Local Computer Policy, click Audit Policy. Where?

    L Local Computer Policy

    L Computer Configuration
    L Windows Settings
    L Security Settings
    L Local Policies
    L Audit Policy

  6. In the details pane, right-click Audit Object Access, and then click Security.

  7. In Local Security Policy Setting, click the options you want, and then click OK.

Notes:

  • You must be logged on as an administrator or as a member of the Administrators group to set up auditing of files and folders. Group Policy is available only to administrators.

  • If you have previously saved a console with Group Policy, you can open the saved console and go to step 5.

  • After you enable auditing of files and folders, you must specify which files and folders to audit.

To specify files and folders to audit

  1. In Windows Explorer, right-click the file or folder you want to audit, and then click Properties.

  2. On the Security tab, click Advanced.

  3. On the Auditing tab, click Add.

  4. In the Select User, Computer, or Group dialog box, click the name of the user or group whose actions you want to audit, and then click OK.

  5. In the Auditing Entry dialog box, in Access, click Successful, Failed, or both for the actions you want to be audited, and then click OK.

Notes:

  • You must log on as an administrator or as a member of the Administrators group to specify files and folders to audit. Otherwise, in step 2, the Security tab will not appear or will appear in read-only form.

  • The Security tab is available only for files and folders on NTFS volumes.

  • Before you can specify files and folders to audit, you must use Group Policy to enable auditing.

To halt the computer when the security log is full

  1. Open Event Viewer.

  2. In the console tree, right-click Security Log, and then click Properties.

  3. On the General tab, click either Overwrite events older than n days or Do not overwrite events (clear log manually).

  4. Use Registry Editor to create or assign the following registry key value:

    Hive:

    HKEY_LOCAL_MACHINE \SYSTEM

    Key:

    \CurrentControlSet\Control\Lsa

    Name:

    CrashOnAuditFail

    Type:

    REG_DWORD

    Value:

    1

  5. Restart the computer.

Caution: Incorrectly editing the registry may severely damage your system. At the very least, you should back up any valuable data on the computer before making changes to the registry.

Important: After this procedure is completed, when the security log becomes full, Windows 2000 will stop responding and will display the message "Audit Failed." To recover when Windows 2000 stops, the security log must be cleared.

Notes:

  • You must be logged on as administrator or as a member of the Administrators group in order to complete this procedure.

  • To open Event Viewer, click Start, point to Settings, and click Control Panel. Double-click Administrative Tools, and then double-click Event Viewer.

  • If Windows 2000 halts as a result of a full security log, the system must be restarted and you must repeat this procedure if you want a full log to stop the computer in the future.

  • To start Registry Editor, click Start, click Run, type regedit, and then click OK. For more information about Registry Editor, on the Registry Editor Help menu, click Help Topics.

Concepts

This section provides general background information about Event Viewer:

  • Using Event Viewer

  • Interpreting an event

  • Viewing and archiving log files

  • Monitoring security events

Event Viewer overview

Using the event logs in Event Viewer, you can gather information about hardware, software, and system problems, and you can monitor Windows 2000 security events.

Windows 2000 records events in three kinds of logs:

Application log

The application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. The program developer decides which events to record.

System log

The system log contains events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows 2000.

Security log

The security log can record security events such as valid and invalid logon attempts as well as events related to resource use such as creating, opening, or deleting files. An administrator can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.

Event Viewer displays these types of events:

Error

A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged.

Warning

An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged.

Information

An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged.

Success Audit

An audited security access attempt that succeeds. For example, a user's successful attempt to log on the system will be logged as a Success Audit event.

Failure Audit

An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

The EventLog service starts automatically when you start Windows 2000. All users can view application and system logs. Only administrators can gain access to security logs.

By default, security logging is turned off. You can use Group Policy to enable security logging. The administrator can also set auditing policies in the registry that cause the system to halt when the security log is full.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Using Event Viewer

Using Event Viewer and event logs, you can gather information about hardware, software, and system problems and monitor Windows 2000 security events.

Windows 2000 records events in three kinds of logs:

Application log

The application log contains events logged by programs. For example, a database program might record a file error in the programs log. Program developers decide which events to monitor.

Security log

The security log contains valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you have enabled logon and logoff auditing, attempts to log on to the system are recorded in the security log.

System log

The system log contains events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows 2000.

Notes:

  • The EventLog service starts automatically when you start Windows 2000.

  • Application and system logs can be viewed by all users. Security logs are accessible only to system administrators.

  • By default, security logging is turned off. To enable security logging, use Group Policy to set the Audit policy. The administrator can also set auditing policies in the registry that cause the system to halt when the security log is full.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Interpreting an event

This section covers:

  • The event header

  • The event description

The event header

The event header contains the following information:

Information

Meaning

Date

The date the event occurred.

Time

The local time the event occurred.

User

The user name of the user on whose behalf the event occurred. This name is the client ID if the event was actually caused by a server process, or the primary ID if impersonation is not taking place. Where applicable, a security log entry contains both the primary and impersonation IDs. (Impersonation occurs when Windows 2000 allows one process to take on the security attributes of another.)

Computer

The name of the computer where the event occurred. The computer name is usually your own, unless you are viewing an event log on another Windows 2000 computer.

Event ID

A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.

Source

The software that logged the event, which can be either a program name, such as "SQL Server," or a component of the system or of a large program, such as a driver name. For example, "Elnkii" indicates an EtherLink II driver.

Type

A classification of the event severity: Error, Information, or Warning in the system and application logs; Success Audit or Failure Audit in the security log. In Event Viewer's normal list view, these are represented by a symbol.

Category

A classification of the event by the event source. This information is primarily used in the security log. For example, for security audits, this corresponds to one of the event types for which success or failure auditing can be enabled in Group Policy.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

The event description

The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.

The event logs record five types of events:

Event type

Description

Error

A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged.

Warning

An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged.

Information

An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged.

Success Audit

An audited security access attempt that succeeds. For example, a user's successful attempt to log on the system will be logged as a Success Audit event.

Failure Audit

An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

Notes:

  • If used, the optional data field contains binary data, which can be displayed in bytes or words. This information is generated by the program that was the source of the event record. The data appears in hexadecimal format. Its meaning can be interpreted by a support technician familiar with the source program.

  • When viewing an application or system log on a LAN Manager 2.x server, only the date, time, source, and event ID are shown. When viewing a security log on a LAN Manager 2.x server, only the date, time, category, user, and computer are shown.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event header

  • Setting options for logging events

Viewing and archiving log files

This section covers:

  • Finding specific logged events

  • Setting options for logging events

  • Archiving a log

Finding specific logged events

After you select a log in Event Viewer, you can:

Search for events

Searches can be useful when you are viewing large logs. For example, you can search for all Warning events related to a specific application, or search for all Error events from all sources. To search for events that match a specific type, source, or category, on the View menu, click Find.

The options available in the Find dialog box are described below in the table about Filter options.

Filter events

Event Viewer lists all events recorded in the selected log. To view a subset of events with specific characteristics, on the View menu, click Filter, and then, on the Filter tab, specify the criteria you want.

Filtering has no effect on the actual contents of the log; it changes only the view. All events are logged continuously, whether the filter is active or not. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file.

The following table describes the options available in the System Log Properties dialog box.

Use

To filter for

View Events From

Events after a specific date and time. By default, this is the date of the earliest event in the log file.

View Events To

Events up to and including a specific date and time. By default, this is the date of the latest event in the log file.

Information 1

Infrequent significant events that describe successful operations of major services. For example, when a database program loads successfully, it might log an Information event.

Warning 1

Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event might be logged when disk space is low.

Error 1

Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if a service was not loaded during Windows 2000 startup.

Success Audit 1

Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event.

Failure Audit 1

Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event.

Source 2

A source for logging events, such as an application, a system component, or a driver.

Category 3

A classification of events defined by the source. For example, the security event categories are Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management.

User 3

A specific user that matches an actual user name. This field is not case sensitive.

Computer 3

A specific computer that matches an actual computer name. This field is not case sensitive.

Event ID 2

A specific number that corresponds to an actual event.

1 This option is not available for LAN Manager 2.x servers.

2 This option is not available for audit logs on LAN Manager 2.x servers.

3 This option is not available for error logs on LAN Manager 2.x servers.

Sort events

By default, Event Viewer sorts events by date and time of occurrence from the newest to the oldest. To specify a sort order, on the View menu, click Newest First or Oldest First.

The default sort order is Newest First. When a log is archived, the default sort order is saved.

View details about events

For many events, you can view more information by double-clicking the event.

The Event Properties dialog box shows a text description of the selected event and any available binary data. Binary data, which appears in hexadecimal format, is information generated by the program that is the source of the event record. A support technician familiar with the source program can interpret its meaning. Not all events generate binary data.

To control the types of security events that are audited, in Group Policy, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. To control the auditing of files and folders, display the Properties of a file or folder.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Setting options for logging events

Application and system logging start automatically when you start the computer. Logging stops when an event log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough. You use Group Policy to set up security logging.

To define logging parameters for each kind of log, in the Event View console tree, right-click the type log, and then click Properties. On the General tab, you can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time.

The default logging policy is to overwrite logs as needed, provided events are at least 7 days old. You can customize this policy for different logs.

The Event log wrapping options include the following.

Use

To

Overwrite events as needed

Have new events continue to be written when the log is full. Each new event replaces the oldest event in the log. This option is a good choice for low-maintenance systems.

Overwrite events older than [x] days

Retain the log for the number of days you specify before overwriting events. The default is 7 days. This option is the best choice if you want to archive log files weekly. This strategy minimizes the chance of losing important log entries and at the same time keeps log sizes reasonable.

Do not overwrite events

Clear the log manually rather than automatically. Select this option only if you cannot afford to miss an event (for example, for the security log at a site where security is extremely important).

Notes:

  • When a log is full and no more events can be logged, you can free the log by clearing it. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.

  • Each log file has an initial maximum size of 512 KB. You can increase the maximum log size to the capacity of the disk and memory, or you can decrease the maximum log size. Before decreasing a log's size, you must clear the log.

Archiving a log

When you archive an event log, you save it in one of three file formats:

  • Log-file format (*.evt), which enables you to view the archived log again in Event Viewer.

  • Text-file format (*.txt), which enables you to use the information in a program such as a word processing program.

  • Comma-delimited text-file format (*.csv), which enables you to use the information in a program such as a spreadsheet or a flat-file database.

The event description is saved in all archived logs. The sequence of data within each individual event record is recorded in the following order:

Order

Data Type

1.

Date

2.

Time

3.

Source

4.

Type

5.

Category

6.

Event

7.

User

8.

Computer

9.

Description

Notes:

  • Binary data is saved if you archive a log in log-file format, but it is discarded if you archive the log in text or in comma-delimited file format.

  • Archiving has no effect on the current contents of the active log. To clear the original log, you must click Clear all Events on the Action menu.

  • To remove an archived log file, delete the file as you would other kinds of files.

For more information, see:

  • View more details about an event

  • Set event logging options

  • The event description

  • Setting options for logging events

Monitoring security events

  • Monitoring Windows 2000 security events

  • Managing the audit policy

  • Auditing file and folder access

  • Halting the computer when the security log is full

Monitoring Windows 2000 security events

Through auditing, which you enable in Group Policy, you can track Windows 2000 security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who performed actions on the network and who tried to perform actions that are not permitted.

Events are not audited by default. If you have Administrator permissions, you can specify what types of system events are audited through Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

For file and object access, you can then specify which files and printers to monitor, which types of file and object access to monitor, and for which users or groups. For example, when Audit Object Access is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Windows Explorer) to specify which files to audit and what type of access events to audit for those files.

Note: You can audit file and folder access only on NTFS drives.

For more information, see:

  • To set, view, change, or remove auditing for a file or folder

Managing the audit policy

Windows 2000 can record a range of event types, from a system-wide event such as a user logging on to an attempt by a particular user to read a specific file. Both successful and unsuccessful attempts to perform an action can be recorded.

You use the audit policy to select the types of security events to be audited. When such an event occurs, an entry is added to the computer's security log. You use Event Viewer to view the security log.

Because the security log is limited in size, select the events to be audited carefully, and consider the amount of disk space you are willing to devote to the security log. The maximum size of the security log is defined in Event Viewer.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Auditing file and folder access

You can audit file and folder access on NTFS volumes to identify who took various types of actions with the files and folders.

When you audit a file or folder, an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way. You specify which files and folders to audit, whose actions to audit, and what types of actions are audited.

To set auditing on a file or folder, use Group Policy to enable auditing, and then use Windows Explorer to specify which files to audit and which type of file access events to audit.

You can audit successful and failed attempts of the following types of directory and file access:

Types of directory access

Types of file access

Displaying names of files in the directory

Displaying the file's data

Displaying directory attributes

Displaying file attributes

Changing directory attributes

Displaying the file's owner and permissions

Creating subdirectories and files

Changing the file

Going to the directory's subdirectories

Changing file attributes

Displaying the directory's owner and permissions

Running the file

Deleting the directory

Deleting the file

Changing directory permissions

Changing the file's permissions

Changing directory ownership

Changing the file's ownership

Note: To audit files and directories, you must be logged on as a member of the Administrators group.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Halting the computer when the security log is full

You can ensure that all auditable activities are logged by halting the computer when the security log is full. To do so, set the security log either to Overwrite Events Older Than n Days or Do Not Overwrite Events (Clear Log Manually).Then use the Registry Editor to create or assign the following registry key value:

Hive:

HKEY_LOCAL_MACHINE \SYSTEM

Key:

\CurrentControlSet\Control\Lsa

Name:

CrashOnAuditFail

Type:

REG_DWORD

Value:

1

The changes take effect the next time the computer is started.

Notes:

  • If Windows 2000 halts as a result of a full security log, the system must be restarted and reconfigured to continue to prevent auditable activities from occurring while the log is full.

  • After the system is restarted, only administrators can log on until the security log is cleared.

  • To capture registry changes in your backup procedures, be sure to include System State data in the Backup set when you run Backup.

For more information, see:

  • View more details about an event

  • Archive an event log

  • Set event logging options

  • The event description

  • Setting options for logging events

Troubleshooting

This section provides information about troubleshooting with Event Viewer:

  • Recover when Windows 2000 stops

  • Using event logs to troubleshoot problems

To recover when Windows 2000 stops

  1. Restart the computer and log on using an account in the Administrators group.

  2. Open Event Viewer, archive the currently logged security events (if desired), and then clear all events from the security log.

  3. Open Registry Editor and locate the following key:

    HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa

  4. Delete and replace the CrashOnAuditFail value, using data type REG_DWORD and a value of 1.

  5. Exit Registry Editor and restart the computer.

Caution: Incorrectly editing the registry may severely damage your system. At the very least, you should back up any valuable data on the computer before making changes to the registry.

Notes:

  • If the registry was previously configured with CrashOnAuditFail = 1 and the security log becomes full, Windows 2000 will stop responding and will display the message "Audit Failed." If that happened, use the procedure above.

  • To start Registry Editor, click Start, click Run, type regedit, and then click OK. For more information about Registry Editor, on the Registry Editor Help menu, click Help Topics.

  • To capture registry changes in your backup procedures, be sure to include System State data in the Backup set when you run Backup.

Using event logs to troubleshoot problems

Careful monitoring of event logs can help you predict and identify the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector is likely to go bad eventually. Logs can also confirm problems with software. If a program crashes, a program event log can provide a record of activity leading up to the event.

The following suggestions may help you use event logs to diagnose problems:

Archive logs in log format

The binary data associated with an event is saved if you archive the log in log format (*.evt), but is discarded if you archive data in text (*.txt) or comma-delimited (*.csv) format. The binary data may help a developer or technical support specialist identify the source of a problem.

Note Event IDs

These numbers match a text description in a message file. The numbers can be used by product support representatives to understand what occurred in the system.

Hardware problems

If you suspect a hardware component is the origin of system problems, filter the system log to show only those events generated by the component.

System problems

If a particular event seems related to system problems, try searching the event log to find other instances of the same event or to judge the frequency of an error.

Network Monitor

Network administrators use Network Monitor to view and detect problems on local area networks (LANs).

  • Before using Network Monitor, see Checklist: Monitoring your network.

  • To find features that have been moved in Windows 2000 Server, see New ways to do familiar tasks.

  • For tips about using Network Monitor, see Best practices.

  • For help with specific tasks, see How to.

  • For general background information, see Concepts.

  • For problem-solving instructions, see Troubleshooting.

Checklist: Monitoring your Network

Step

Reference

I

Review key concepts.

Network Monitor overview;
Network Monitor components;
Best practices

I

Confirm that you are a member of the Administrators group.

Groups overview

I

Install Network Monitor tools.

To install Network Monitor

I

Create a capture filter.

Using capture filters

I

Create a display filter.

Using display filters

I

Interpret results.

Open Network Monitor. For information about interpreting the results of a network packet capture, click the Help menu in Network Monitor.

New Ways to do Familiar Tasks

The following table compares familiar Windows NT 4.0 network monitoring tasks with the equivalent tasks in Windows 2000.

If you want to

In Windows NT 4.0 use

In Windows 2000 use

Install Network Monitor

Network in Control Panel.

Add/Remove Programs; go to Add/Remove Windows Components.
For more information, see To install Network Monitor.

Install the Network Monitor driver

Network in Control Panel.

Network and Dial-up Connections; go to Local Area Connection Properties.
For more information, see To install the Network Monitor driver.

Monitor network frames

Network Monitor in Administrative Tools.

Network Monitor in Administrative Tools.
For more information, see Manage dynamic volumes.

Best Practices

  • Running Network Monitor during low-usage times

    Run Network Monitor at low-usage times or for short periods of time. This decreases the effect on system performance caused by Network Monitor.

  • Capturing minimum amount of network statistics

    Capture only as many statistics as you need for evaluation. This prevents you from capturing too much information to make a reasonably quick diagnosis of the problem.

How To...

  • Install Network Monitor

  • Install the Network Monitor driver

  • Capture network frames

To install Network Monitor

  1. Open Add/Remove Programs.

  2. In Add/Remove Programs, click Add/Remove Windows Components.

  3. In the Windows Components wizard, select Management and Monitoring Tools, and then click Details.

  4. In the Management and Monitoring Tools window, select the Network Monitor check box, and then click OK.

  5. If you are prompted for additional files, insert your Windows 2000 Server compact disc, or type a path to the location of the files on the network.

Notes:

  • To open Add/Remove Programs, click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs.

  • Network Monitor is available only on Windows 2000 Server.

  • This procedure automatically installs the Network Monitor driver.

  • For detailed information about using Network Monitor, click the Help menu in Network Monitor.

  • Certain Windows components require configuration before thay can be used. If you installed one or more of these components, but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components wizard, click Components.

To install the Network Monitor driver

  1. Open Network and Dial-up Connections.

  2. In Network and Dial-up Connections, click Local Area Connection, click the File menu, and then click Properties.

  3. In the Local Area Connection Properties dialog box, click Install.

  4. In the Select Network Component Type dialog box, click Protocol, and then click Add.

  5. In the Select Network Protocol dialog box, click Network Monitor Driver, and then click OK.

  6. If you are prompted for additional files, insert your Windows 2000 compact disc, or type a path to the location of the files on the network.

Notes:

  • To open Network and Dial-up Connections, click Start, point to Settings, click Control Panel, and then double-click Network and Dial-up Connections.

  • The Network Monitor driver enables Network Monitor to receive packets from a network adapter.

  • The Network Monitor driver can be installed only on computers running Microsoft Windows 2000 Professional or Windows 2000 Server. Network Monitor drivers for operating systems other than Windows 2000 are available in Microsoft Systems Management Server. For more information on Microsoft Systems Management Server, go to the Microsoft Web site. (http://www.microsoft.com/smsmgmt )

  • If you have already installed Network Monitor, Network Monitor Driver does not appear in the Select Network Protocol dialog box, because the driver is installed automatically with Network Monitor.

To capture network frames

  1. Open Network Monitor.

  2. If you are prompted for a default network on which to capture frames, select the local network from which you want to capture data by default.

  3. On the Capture menu, click Start.

  4. If you are prompted for additional files, insert your Windows 2000 compact disc, or type a path to the location of the files on the network.

Notes:

  • To open Network Monitor, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Network Monitor.

  • For more information about using Network Monitor, click the Help menu in Network Monitor.

Concepts

This section covers:

  • Network Monitor overview

  • Understanding Network Monitor

  • Using Network Monitor

  • Resources

Network Monitor overview

You use Network Monitor to capture and display the frames (also called packets) that a computer running Windows 2000 Server receives from a local area network (LAN). Network administrators can use Network Monitor to detect and troubleshoot networking problems that the local computer might experience. For example, as a network administrator, you might use Network Monitor to diagnose hardware and software problems when the server computer cannot communicate with other computers. Frames captured by Network Monitor can be saved to a file and then sent to professional network analysts or support organizations.

Network application developers can use Network Monitor to monitor and debug network applications as they are developed.

For detailed information about using Network Monitor, including information about capture triggers, capture buffers, protocol parsers, address databases, capture filters, display filters, and interpreting the results of captured data, click the Help menu in Network Monitor.

Microsoft Systems Management Server includes a full version of Network Monitor. In addition to the functionality in Windows 2000 Network Monitor, Systems Management Server Network Monitor can capture frames sent to and from all computers in a network segment, as well as edit and transmit frames. For more information on Microsoft Systems Management Server, go to the the Microsoft Web site. (http://www.microsoft.com/smsmgmt)

Understanding Network Monitor

This section covers:

  • The network data stream

  • Capturing network data

  • Network Monitor components

  • Network Monitor security

  • Protocol parsers included with Network Monitor

The network data stream

Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets.

Frames, whether broadcast, multicast, or directed, are made up of several different pieces that can be analyzed separately. Some of these pieces contain data that Network Monitor can use to troubleshoot networking problems. For example, by examining the destination address, it can be determined whether the frame was a broadcast frame, indicating all hosts had to receive and process this frame, or a directed frame sent to a specific host. By analyzing frames, you can determine the exact cause of the frame, which helps determine whether the service generating these types of frames can be optimized.

The following figure illustrates the portions of an Ethernet frame:

srv1301

For detailed information about using Network Monitor, including information about capture triggers, capture buffers, protocol parsers, address databases, capture filters, display filters, and interpreting the results of captured data, click the Help menu in Network Monitor.

For instructions on installing Network Monitor, see To install Network Monitor

Capturing network data

The process by which Network Monitor copies frames is referred to as capturing. You can capture all network traffic to and from the local network card, or you can set a capture filter and capture a subset of frames. You can also specify a set of conditions that trigger an event in a Network Monitor capture filter. By using triggers, Network Monitor can respond to events on your network. For example, you can make Windows start an executable file when Network Monitor detects a particular set of conditions on the network. After you have captured data, you can view it. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.

Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer.

For detailed instructions on capturing network data, see To capture network frames.

Note: Because the version of Network Monitor in Windows 2000 uses the local only mode of NDIS instead of promiscuous mode, you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.)

Network Monitor components

Network Monitor is composed of an administrative tool called Network Monitor and a network protocol called the Network Monitor driver. Both of these components must be installed in order for you to capture, display, and analyze network packets (also called frames).

Network Monitor

You use Network Monitor to capture and display the frames that a computer running Windows 2000 Server receives from a local area network (LAN). Network administrators can use Network Monitor to detect and troubleshoot networking problems that the local computer may experience. Network Monitor can be installed only on computers running Windows 2000 Server. When you install Network Monitor, the Network Monitor Driver is installed automatically on the same computer.

For instructions on installing Network Monitor, see To install Network Monitor.

The Network Monitor driver

The Network Monitor driver enables Network Monitor to receive frames from a network adapter, and allows users of the version of Network Monitor provided with Microsoft Systems Management Server (Systems Management Server Network Monitor) to capture and display frames from a remote computer, including those with a dial-up network connection. When the user of a computer running the Systems Management Server Network Monitor connects remotely to a computer on which the Network Monitor driver has been installed, and that user initiates a capture, statistics from the capture are transferred over the network to the managing computer. The Network Monitor driver can be installed only on computers running Microsoft Windows 2000 Professional or Windows 2000 Server.

For instructions on installing the Network Monitor driver, see To install Network Monitor driver.

Note: Network Monitor drivers for operating systems other than Windows 2000 are provided with Systems Management Server. In addition to the functionality in the Windows 2000 Network Monitor, the Systems Management Server Network Monitor can capture frames sent to and from all computers in a network segment, as well as edit and transmit frames. For more information on Microsoft Systems Management Server, go to the Microsoft Systems Management Server Web site.

Bb742517.srv1302(en-us,TechNet.10).gif

Network Monitor security

For security reasons, the version of Network Monitor in Windows 2000 captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.

In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor provides the capability to detect other installations of Network Monitor that are running on the local segment of your network.

Detecting other installations of Network Monitor

To protect your network from unauthorized monitoring, Network Monitor can detect other installations of Network Monitor running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from Systems Management Server or System Monitor) to capture data on your network.

When Network Monitor detects other Network Monitor installations running on the network, it displays the following information about them:

  • The name of the computer

  • The name of the user logged on at the computer

  • The state of Network Monitor on the remote computer (running, capturing, or transmitting)

  • The adapter address of the remote computer

  • The version number of Network Monitor on the remote computer

In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.

Protocol parsers included with Network Monitor

A protocol parser is a dynamic-link library (.dll) that identifies the protocols used to send a frame on the network. Information about these protocols appears when you display captured frames in the Frame Viewer window. Each protocol that Network Monitor supports has a corresponding parser.

For detailed information about using Network Monitor, including information about capture triggers, capture buffers, protocol parsers, address databases, capture filters, display filters, and interpreting the results of captured data, click the Help menu in Network Monitor.

Following is a list of the protocols that are included with Network Monitor.

Protocol

Description

AARP

AppleTalk Address Resolution Protocol (Atalk.dll)

ADSP

AppleTalk Data Stream Protocol (Atalk.dll)

AFP

AppleTalk File Protocol (Atalk.dll)

AH

IP Authentication Header (Tcpip.dll)

ARP_RARP

Internet Address Resolution Protocol/Reverse Address Resolution Protocol (Tcpip.dll)

ASP

AppleTalk Session Protocol (ATALK.dll)

ATMARP

ATM Address Resolution Protocol (Atmarp.dll)

ATP

AppleTalk Transaction Protocol (Atalk.dll)

BONE

Bloodhound-Oriented Network Entity Protocol (Bone.dll)

BOOKMARK

Network Monitor BOOKMARK Protocol (Trail.dll)

BPDU

Bridge Protocol Data Unit (Llc.dll)

BROWSER

Microsoft Browser (Browser.dll)

CBCP

Callback Control Protocol (Ppp.dll)

CCP

Compression Control Protocol (Ppp.dll)

COMMENT

Network Monitor COMMENT Protocol (Trail.dll)

DDP

AppleTalk Datagram Delivery Protocol (Atalk.dll)

DHCP

Dynamic Host Configuration Protocol (Tcpip.dll)

DNS

Domain Name System (Tcpip.dll)

EAP

PPP Extensible Authentication Protocol (Ppp.dll)

ESP

IP Encapsulating Security Payload (Tcpip.dll)

ETHERNET

Ethernet 802.3 topology (Mac.dll)

FDDI

FDDI topology (Mac.dll)

FINGER

Internet Finger protocol (Tcpip.dll)

FRAME

Base frame properties (Frame.dll)

FTP

File Transfer Protocol (Tcpip.dll)

GENERIC

Network Monitor GENERIC Protocol (Trail.dll)

GRE

Generic Routing Encapsulation Protocol (Ppp.dll)

ICMP

Internet Control Message Protocol (Tcpip.dll)

IGMP

Internet Group Management Protocol (Tcpip.dll)

IP

Internet Protocol (Tcpip.dll)

IPCP

Internet IP Control Protocol (Ppp.dll)

IPX

NetWare Internet Packet eXchange protocol (Ipx.dll)

IPXCP

NetWare Internetwork Packet eXchange Control Protocol (Ppp.dll)

IPXWAN

NetWare Internetwork Packet eXchange Protocol for Wide Area Networks (Ppp.dll)

ISAKMP

Internet Security Association and Key Management Protocol (Ppp.dll)

L2TP

Level 2 Tunneling Protocol (L2tp.dll)

LAP

AppleTalk Link Access Protocol (Atalk.dll)

LCP

Link Control Protocol (Ppp.dll)

LLC

Logical Link Control 802.2 Protocol (LLC.dll)

LPR

BSD Printer (Ppp.dll)

MESSAGE

Network Monitor MESSAGE Protocol (Trail.dll)

MSRPC

Microsoft Remote Procedure Call Protocol (Msrpc.dll)

NBFCP

NetBIOS Frames Control Protocol (Ppp.dll)

NBIPX

NetBIOS on IPX (Ipx.dll)

NBP

AppleTalk Name Binding Protocol (Atalk.dll)

NBT

Internet NetBIOS Over TCP/IP (Tcpip.dll)

NCP

NetWare Core Protocol (Ncp.dll)

NDR

NetWare Diagnostic Redirector (Ipx.dll)

NETBIOS

Network Basic Input/Output System Protocol (Netbios.dll)

NETLOGON

Microsoft Netlogon Broadcasts (Netlogon.dll)

NFS

Network File System (Tcpip.dll)

NMPI

Microsoft Name Management Protocol on IPX (Ipx.dll)

NSP

NetWare Serialization Protocol (Ipx.dll)

NWDP

NetWare WatchDog Protocol (Ipx.dll)

ODBC

Network Monitor ODBC Protocol (Trail.dll)

OSPF

Open Shortest Path First (Tcpip.dll)

PAP

AppleTalk Printer Access Protocol (Atalk.dll)

PPP

Point-to-Point Protocol (Ppp.dll)

PPPCHAP

PPP Challenge Handshake Authentication Protocol (Ppp.dll)

PPPML

Point-to-Point Multilink Protocol (Ppp.dll)

PPPPAP

PPP Password Authentication Protocol (Ppp.dll)

PPTP

Point-to-Point Tunneling Protocol (Ppp.dll)

R_LOGON

Generated RPC for interface logon (Logon.dll)

R_LSARPC

Generated RPC for Interface Lsarpc (Lsarpc.dll)

R_WINSPOOL

Generated RPC for Interface Winspool (Winspl.dll)

RADIUS

Remote Authentication Dial-In User Service Protocol (Ppp.dll)

RIP

Internet Routing Information Protocol (Tcpip.dll)

RIPX

NetWare Routing Information Protocol (Ipx.dll)

RPC

Remote Procedure Call (Tcpip.dll)

RPL

Remote Program Load (Llc.dll)

RSVP

RSVP Protocol (Rsvp.dll)

RTMP

AppleTalk Routing Table Maintenance Protocol (Atalk.dll)

SAP

NetWare Service Advertising Protocol (Ipx.dll)

SMB

Server Message Block Protocol (Smb.dll)

SMT

FDDI MAC Station Management (Mac.dll)

SNAP

Sub-Network Access Protocol (Llc.dll)

SNMP

Simple Network Management Protocol (Snmp.dll)

SPX

NetWare Sequenced Packet eXchange Protocol (Ipx.dll)

SSP

Security Support Provider Protocol (Msrpc.dll)

STATS

Network Monitor Capture Statistics Protocol (Trail.dll)

TCP

Transmission Control Protocol (Tcpip.dll)

TMAC

Token Ring MAC layer (Mac.dll)

TOKENRING

Token Ring 802.5 Topology (Mac.dll)

TPCTL

Test Protocol Control Language (Tpctl.dll)

TRAIL

Network Monitor TRAIL Protocol (Trail.dll)

UDP

User Datagram Protocol (Tcpip.dll)

VINES_FRAG

Banyan Vines Fragmentation Protocol (Vines.dll)

VINES_IP

Banyan Vines Internet Protocol (Vines.dll)

VINES_TL

Banyan Vines Transport Layer Protocols (Vines.dll)

XNS

Xerox Network System (Xns.dll)

ZIP

AppleTalk Zone Information Protocol (Atalk.dll)

Note: The full version of Network Monitor (included with Microsoft Systems Management Server) supports additional protocol parsers. If you want to capture data sent in a protocol that is not included with Network Monitor, use the Systems Management Server Network Monitor or add your own parser. To add a protocol parser to Network Monitor, you must write the parser DLL first. The Systems Management Server version 2.0 Toolkit provides complete details for writing and installing parsers for Network Monitor. For more information on Microsoft Systems Management Server, go to the the Microsoft Web site.

Using Network Monitor

This section covers:

  • Using capture filters

  • Using display filters

  • Displaying captured data

Using capture filters

A capture filter functions like a database query—use it to specify the types of network information you want to monitor. For example, to see only a specific subset of computers or protocols, you can create an address database, use the database to add addresses to your filter, and then save the filter to a file. By filtering frames, you save both buffer resources and time. Later, if necessary, you can load the capture filter file and use the filter again.

Designing a capture filter

To design a capture filter, specify decision statements in the Capture Filter dialog box. This dialog box displays the filter's decision tree, which is a graphical representation of a filter's logic. When you include or exclude information from your capture specifications, the decision tree reflects these specifications.

Filtering by protocol

To capture frames sent using a specific protocol, specify the protocol on the SAP/ETYPE= line of the capture filter. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled.

Filtering by address

To capture frames from specific computers on your network, specify one or more address pairs in a capture filter. You can monitor up to four specific address pairs simultaneously.

An address pair consists of:

  • The addresses of the two computers you want to monitor traffic between.

  • Arrows that specify the traffic direction you want to monitor.

  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.

Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.

For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter address section:

Addresses
include   Joe <----> Any
exclude   Joe <----> Anne

If there are no include lines, your_computer <----> Any is used by default.

Filtering by data pattern

By specifying a pattern match in a capture filter, you can:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.

  • Specify how many bytes (offsets) into the frame the pattern must occur.

When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium has a variable size in the media access control protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header.

Using display filters

Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information. But because a display filter operates on data that has already been captured, it does not affect the contents of the Network Monitor capture buffer.

Use a display filter to determine which frames to display. You can filter a frame by:

  • Its source or destination address.

  • The protocols used to send it.

  • The properties and values it contains. (A property is a data field within a protocol header. A protocol's properties indicate the purpose of the protocol.)

Displaying captured data

Network Monitor simplifies data analysis by interpreting raw data collected during the capture and displaying it in the Frame Viewer window.

To display captured information in the Frame Viewer window, on the Capture menu, click Stop and View while the capture is running. Or, open a capture file (.cap).

Note: To display data captured with the Network General Sniffer, open the uncompressed Sniffer files. To view a compressed Sniffer file, open the file in Sniffer and then save the file in uncompressed format. Or, obtain a Sniffer file decompression tool from Network General.

The Frame Viewer window includes the following panes:

Pane

Displays

Summary

General information about captured frames in the order in which they were captured.

Detail

The frame's contents, including the protocols used to send it.

Hex

A hexadecimal and ASCII representation of the captured data.

Resources

  • Network Monitor Help. For information about capture triggers, capture buffers, protocol parsers, address databases, capture filters, display filters, and interpreting the results of captured data, click the Help menu in Network Monitor.

  • Windows 2000 Server family at Microsoft Windows (http://www.microsoft.com/windows )

  • Microsoft Windows Hardware Compatibility List at Microsoft Web site.(http://www.microsoft.com/ )

  • Microsoft TechNet at Microsoft TechNet (http://www.microsoft.com/technet )

  • Microsoft TechNet compact discs.

  • Microsoft support at Microsoft Web site.(http://www.microsoft.com/ )

  • Getting Started for Windows 2000 Server.

  • Windows 2000 Server Resource Kit.

  • Windows 2000 Server Registry.

Troubleshooting

What problem are you having?

After upgrading from Windows NT 4.0 to Windows 2000, Network Monitor version 1.2 does not work, or you get an error message that Nal.dll cannot be found.

Cause: During upgrade, the Network Monitor Agent 1.2 is replaced with the Network Monitor driver 2.0, which is not compatible with Network Monitor 1.2. Network Monitor Agent 1.2 is not supported by Windows 2000.

Solution: Use Network Monitor driver 2.0 or later.

Not enough disk space to create a capture buffer.

Cause: When you set a capture buffer, Network Monitor reserves disk space equal to the size of the capture buffer. If not enough disk space is free, you will get an error.

Solution: Make sure that the temporary capture directory has enough free disk space (at least 1 MB free + buffer size).

Access denied to default capture directory on computers with lockdown policies in place.

Cause: Lockdown systems will not allow you to write to files in the system folder and subfolders, but the default folder for Network Monitor capture files is a subfolder of the system folder (Winnt).

Solution: After you create a capture, save the capture into a folder to which you have read and write access. This folder becomes the new default location for saving capture files.

Network Monitor does not work through Microsoft Terminal Services server.

Cause: Network Monitor will not work through a terminal server client connection.

Solution: Run Network Monitor locally. Or, if you want to run Network Monitor on a remote computer, set up the Network Monitor driver on the remote computer (the one that you will use to capture traffic) and set up the version of Network Monitor that comes with Microsoft Systems Management Server on the local computer. Then use Network Monitor remotely to create the remote capture session.

Cause: Network Monitor will not work through a terminal server client connection.

Solution: Run Network Monitor locally. Or, if you want to run Network Monitor on a remote computer, set up the Network Monitor driver on the remote computer (the one that you will use to capture traffic) and set up the version of Network Monitor that comes with Microsoft Systems Management Server on the local computer. Then use Network Monitor remotely to create the remote capture session.

"No NPPs found" error message.

Cause: Network Monitor and/or the Network Monitor driver are not installed properly.

Solution: Make sure that the Network Monitor components are installed properly.

  1. If the Network Monitor driver is not installed, install it using the steps described in To install the Network Monitor driver.

  2. If the Network Monitor driver is installed, delete it and then reinstall it.

  3. If reinstalling the Network Monitor driver does not solve the problem, remove Network Monitor and then reinstall it using the steps described in To install Network Monitor.

Monitoring Performance

System Monitor and Performance Logs and Alerts support detailed monitoring of the utilization of operating system resources.

  • Before monitoring your system, see Checklist: Monitoring performance.

  • To find features that have been changed in Windows 2000, see New ways to do familiar tasks.

  • For tips about performance monitoring, see Best practices.

  • For help with specific tasks, see How to.

  • For general background information, see Concepts.

  • For problem-solving instructions, see Troubleshooting.

Checklist: Monitoring Performance

Step

Reference

I

Read key concepts about monitoring performance.

Introduction to Performance; Best practices

I

Ensure that you have appropriate permissions on the computer you want to monitor.

Setting up a monitoring configuration

I

Install Network Monitor driver to monitor network performance counters.

To enable Network Segment counters

I

Set up a monitoring configuration.

Setting up a monitoring configuration

I

Evaluate monitoring results and establish a baseline.

Analyzing performance

I

Investigate variations in performance data and tune or upgrade components as needed.

Solving performance problems

I

Archive monitoring data and use archives to monitor trends.

Evaluating trends and planning for additional resources

New Ways to do Familiar Tasks

The following table lists common tasks for System Monitor and Performance Logs and Alerts (hosted in the Performance console, named Perfmon.msc) and maps where you can perform the tasks in Windows 2000. For existing Performance Monitor (Perfmon.exe) users, the table also shows where these tasks are performed in Windows NT 4.0. Many of the toolbar buttons remain the same in the two versions and can be used instead of the steps listed in this table.

If you want to

In Windows NT 4.0 use

In Windows 2000 use

Create a chart of performance data.

Performance Monitor on the Administrative Tools menu.

System Monitor in the Performance console, started from Administrative Tools.

Create a report.

Performance Monitor on the Administrative Tools menu.

System Monitor in the Performance console, started from Administrative Tools.

Create a log.

Performance Monitor on the Administrative Tools menu.

Performance Logs and Alerts in the Performance console or under System Tools in Computer Management, started from Administrative Tools.

View log data.

Performance Monitor on the Administrative Tools menu.

System Monitor in the Performance console, started from Administrative Tools.

Create an alert.

Performance Monitor on the Administrative Tools menu.

Performance Logs and Alerts in the Performance console or under System Tools in Computer Management, started from Administrative Tools.

Create a workspace with multiple views.

Performance Monitor on the Administrative Tools menu.

Microsoft Management Console, Add/Remove Snap-in command on the Console menu.

To locate the Windows NT 4.0 version of Performance Monitor, see the Windows 2000 Resource Kit.

You can use Windows 2000 System Monitor to open settings files created with the Windows NT 4.0 version of Performance Monitor.

Best Practices

  • Setting up a monitoring configuration. Configure Performance Logs and Alerts to report data for the recommended counters at regular intervals, such as every 10 to 15 minutes. Retain logs over extended periods of time, store data in a database, and query the data to report on and analyze the data as needed for overall performance assessment, trend analysis, and capacity planning.

    For best results, do the following before starting System Monitor or Performance Logs and Alerts on the computer you want to monitor for diagnostic purposes:

    • Stop screen-saver programs.

    • Turn off services that are not essential or relevant to monitoring.

    • Increase the paging file to physical memory size plus 100 MB.

      Using Registry Editor, view the settings for the following and make note of all keys that have nonzero values:

      • HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SessionManager \Memory Management

      • HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \Parameters

        Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

      Some of these registry values can be adjusted for better performance. For information about modifying the registry, see Registry Editor Help.

    • If the server in question has halted or is not responding, run System Monitor from another computer.

    Keeping monitoring overhead low. In general, the performance tools are designed for minimal overhead. However, you may find the overhead increases under each of the following conditions:

    • You are running System Monitor in graph view.

    • You have selected an option other than the default (current value) for a report view.

    • You are sampling at very frequent intervals (less than three seconds apart).

    • Many different objects and counters are selected.

    Other aspects of performance tool operation that affect performance include file size and disk space taken up by log files. To reduce file size and related disk space usage, extend the update interval. Also, log to a disk other than the one you are monitoring. Frequent logging also adds demand on disk input and output (I/O).

    If monitoring overhead is a concern, run only the Performance Logs and Alerts service and do not monitor using a System Monitor graph.

    During remote logging, frequent updating can slow performance due to network transport. In this case, it is recommended that you log continuously on remote computers but upload logs infrequently — for example, once a day.

  • Analyzing performance results and establishing a performance baseline. Review logged data by graphing it using the System Monitor display or exporting it for printing. Compare the values against the counter thresholds shown in Analyzing performance to verify that resource usage or other activity is within acceptable limits. Set your baseline according to the level of performance that you consider satisfactory for your typical workload.

  • Setting alerts. Set alerts according to the counter values you consider to be unacceptable, as defined by baseline evaluation.

  • Performance tuning. Tune system settings and workload to improve performance and repeat monitoring to examine tuning results. See Solving performance problems for instructions covering how to change configurations or other steps to improve performance.

  • Planning. Monitor trends for capacity planning and add or upgrade components as needed. Maintain logged data in a database and observe changes to identify changes in resource requirements. After you observe changes in activity or resource demand, you can identify where you may require additional resources.

How To...

  • Work with counters

  • Work with monitoring views

  • Work with data

  • Work with settings

  • Create and configure counter logs

  • Create and configure trace logs

  • Create and configure alerts

  • Work with logs and alerts

Work with counters

  • Add counters

  • Delete counters

  • Get details about counters

  • Enable Network Segment counters

To add counters to System Monitor

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Add Counters.

  3. To monitor any computer on which the monitoring console is run, click Use local computer counters.

    Or, to monitor a specific computer, regardless of where the monitoring console is run, click Select counters from computer and specify a computer name (the name of the local computer is selected by default).

  4. In Performance object, click an object to monitor. The Processor object is selected by default.

  5. To monitor all counters, click All counters.

    Or, to monitor only selected counters, click Select counters from list and select the counters you want to monitor. The % Processor Time counter is selected by default.

  6. To monitor all instances of the selected counters, click All instances.

    Or, to monitor only selected instances, click Select instances from list and select the instances you want to monitor. The _Total instance is selected by default.

  7. Click Add.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • If you select an object on a remote computer, you may notice a short delay as System Monitor refreshes the list to reflect objects present on that computer.

  • When creating a monitoring console for export, make sure to select Use local computer counters. Otherwise, System Monitor will obtain data from the computer named in the text box, regardless of where the console file is installed.

  • For a description of a particular counter, click the name of the counter in Performance counters and then click Explain.

  • To monitor the sum of the values all of a particular counter's instances, select the _Total instance.

  • Unless you are configuring data from a log, you can select only active instances in the list box.

  • By default, counters are shown with both the instance name and an instance index. To turn off this feature, right-click the details pane, click Properties, and clear the Allow duplicate counter instances check box.

  • Some object types have several instances. For example, if a system has multiple processors, the Processor object type will have multiple instances. The Physical Disk object type has two instances if a system has two disks. Some object types such as Memory and Server have only a single instance. If an object type has multiple instances, you can add counters to track statistics for each instance, or in many cases, for all instances at once.

  • When you select two instances of the same counter, for example, if you are monitoring multiple threads of a process, note that the instance index number assigned to that instance may change over time as the instance, such as a thread, starts and stops. You cannot assume that the index number corresponds to the same thread over the life of the process.

  • You can change the default display characteristics assigned to a counter such as the color, line style and width, and graph scale by using the Data tab in the System Monitor Properties dialog box. To access the Data tab, right-click the details pane, and click Properties.

To delete counters from System Monitor

  1. Open Performance.

  2. In the System Monitor details pane, click the name of the counter in the legend.

  3. Press DELETE.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • You can also delete counters by using the Data tab in the System Monitor Properties dialog box.

  • To delete all counters, click the srv1303 button in the toolbar.

  • To clear all data samples from the display, click the srv1304 button. (This button is available only when working with current data, not with log data.)

To get details about counters

  1. Open Performance.

  2. Right click the System Monitor details pane and click Add Counters.

  3. In Performance object, click an object.

  4. In Performance counters, click the counter for which you want information.

  5. Click Explain.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When working with System Monitor, you can match a line in a graph with the counter for which it is charting values. To do so, double-click a position in the line. The counter will be selected in the legend. If chart lines are close together, try to find a point in the graph where they diverge. Otherwise, System Monitor may have difficulty pinpointing the value you are interested in.

  • For more complete information about performance counters, see the Windows 2000 Performance Counter Reference (Counters.chm) on the Windows 2000 Resource Kit companion disc.

Enabling Network Segment counters

You must install the Network Monitor Driver in order to collect performance data using the Network Segment object counters. See To install the Network Monitor Driver for more information.

Work with monitoring views

  • Use logged data

  • Change counters and counter properties

  • Change sampling options

  • Monitor a different computer

  • Highlight counter data

  • Change from graph view

  • Add titles, grids, and other attributes

  • Change background, chart, text, and other colors

  • Change font properties

To use logged data

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

  3. Click the Source tab.

  4. Under Data Source, click Log File, and type the path to the file or click Browse to browse for the log file you want.

  5. Click Time Range. To specify the time range in the log file that you want to view, drag the bar or its handles for the appropriate starting and ending times.

  6. Click the Data tab and click Add to open the Add Counters dialog box. The counters you selected during log configuration are shown. You can include all or some of these in your graph.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • Unless you specifically want to monitor start-up events, you should exclude times that include such events from your time window because these temporary high values tend to skew overall performance results.

  • The srv1322

    button on the toolbar is disabled when you are viewing log data.

  • You can also view counter-log data by opening files that have been saved in comma-separated or tab-separated format using Microsoft Excel.

To change counters and counter properties

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

    On the Data tab, specify the options you want to use:

    • Add. Opens the Add Counters dialog box, where you can select other counters to add.

    • Remove. Removes the counter selected in the counter list.

    • Color. Changes the color of the selected counter.

    • Scale. Changes the displayed scale of a selected counter in the graph or histogram view. Counter values can be scaled exponentially from .0000001 to 1000000.0. You may want to adjust the counter scale settings to enhance the visibility of counter data in the graph. Changing the scale does not affect the statistics displayed in the value bar.

    • Width. Changes the line width of a selected counter. Note that defining a line width can determine the line styles that are available.

    • Style. Changes the line style for a selected counter. Styles can be selected only when you are using the default line width.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To change sampling options

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

    On the General tab, specify the sampling option you want:

    • To sample automatically at regular intervals, select the Update automatically every check box and in seconds type the length of the interval in seconds. The default interval is one second.

    • To sample manually, clear the Update automatically every check box. You can also use the srv1323 button on the toolbar to sample data manually.

      When manual sampling is selected, use the srv1324 button to collect a sample.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • To clear all data samples from the display, click the srv1322 button on the toolbar. (This button is available only when working with current data, not with log data.)

To monitor a different computer

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Add Counters.

  3. Click Select counters from computer, and type the computer name in the text box.

    System Monitor will obtain counters from the computer you specify, regardless of where System Monitor is running.

  4. In Performance object, click an object to monitor.

  5. In Performance counters, click one or more counters.

  6. To use all counter instances available when System Monitor is in use, click All instances.

    Or, to use only selected counter instances, click Select instances from list and select the instances you want to use.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • If you don't have appropriate permissions to monitor the computer, an error message will be displayed but the counter will still appear in the histogram or graph legend without any data or any graph line.

  • If you select an object on a remote computer, you may notice a short delay as System Monitor refreshes the list to reflect objects present on that computer.

  • If you don't see a counter that you want to monitor, it could be because the service or feature that provides the counter object is not installed or enabled on that computer and you may need to add it before you can monitor related data.

To highlight counter data

  1. Open Performance.

  2. In the counter list, click the counter you want to highlight.

  3. Click the srv1325 button or press CTRL+H.

    For the counter selected, a thick line replaces the colored chart line. For white or light-colored backgrounds (defined by the BackColor property), this line is black; for other backgrounds, this line is white.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When working with the System Monitor control in Microsoft Word, note that default key settings in Microsoft Word may conflict with the CTRL+H combination used for System Monitor highlighting. You may need to change these to support highlighting when the System Monitor control (Sysmon.ocx in the systemroot\System32 folder) is used in Microsoft Word.

To change from graph view

  1. Open Performance.

  2. Click the srv1326 button or the button on the toolbar.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • You can also change display type by changing the Type setting on the General tab of the System Monitor Properties dialog box.

  • The counter data and path properties are displayed differently in a System Monitor report than they are in a graph. In report view, information is displayed in columns, with counter names and data values grouped by their associated performance objects, and separate columns for each instance and its data.

    The values found on the value bar in a graph are not included. Using the General tab of the System Monitor Properties dialog box, you can choose a single value to be displayed in the report: last (default), current, average, minimum, or maximum. The default value for reports based on current activity is current and for logged activity is average.

  • If you choose average, minimum, or maximum statistics in the Report view, the statistic is calculated at each sample interval. This incurs some additional performance overhead.

  • In histogram view, the chart lines are replaced by bars. The remainder of the display is identical to the graph view.

  • If selected, the toolbar remains displayed for all views.

To add titles, grids, and other attributes

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

  3. On the Graph tab, specify the graph options you want to use.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • The default minimum and maximum scale values are 0 and 100, respectively.

  • To change the grid color, use the Colors tab.

  • To add or remove the legend, statistics, or the toolbar, use the General tab.

  • To change border style or appearance, use the General tab.

To change background, chart, text, and other colors

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

    On the Colors tab, in Property Name, specify the display attribute for which you want to change the color. The available attributes are:

    • BackColorCtl. The background color that surrounds the window area where data is charted.

    • BackColor. The background color of the window area where counter data is charted.

    • ForeColor. The text color.

    • GridColor. The color used for vertical and horizontal grid lines.

    • TimerBarColor. The color used for the timer bar.

    Associate the attribute with a color in one of the following ways:

    • Click the colored button for the color you want to associate with the attribute.

    • In System Color, select a screen element. Selecting a screen element makes the selected attribute the same color as the screen element. You can define screen-element colors in the dialog box that appears when you double-click the Display icon in Control Panel.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To change font properties

  1. Open Performance.

  2. Right-click the System Monitor details pane and click Properties.

  3. On the Fonts tab, set any font options you want. The options include Font, Style, Size, and Effects.

Note: To open Performance, click Start, point to programs, point to Administrative Tools, and then click Performance.

Work with data

  • Copy data between windows

  • Print performance data

  • Save data to an HTML file

  • Collect data in a Word document

  • Collect performance data using WMI

To copy counter data between instances of System Monitor

  1. Open Performance.

  2. In the System Monitor details pane, click the srv1327 button on the toolbar.

    This copies all current properties in HTML format to the Windows Clipboard.

  3. Open another instance of System Monitor and click the srv1328 button on the toolbar to load the counter path data from the Clipboard into the current window.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To print performance data

  1. Open Performance.

  2. Press ALT+PRINT SCREEN to copy a view of the active window.

  3. Click Start, point to Programs, point to Accessories, and click Paint.

  4. On the Edit menu, click Paste.

    If prompted with the alert message The image in the Clipboard is larger than the bitmap. Would you like the bitmap enlarged?, click Yes.

  5. On the File menu, click Print.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

    You can also print performance data if you:

    • Add the System Monitor control to a Microsoft Office application such as Microsoft Word or Microsoft Excel and print from that program.

    • Save the performance data as an HTML file and print it from Internet Explorer or another program.

    • Import a log file in comma-separated (.csv) or tab-separated (.tsv) format into a Microsoft Excel spreadsheet and print from that application.

To save graph data as an HTML page

  1. Open Performance.

  2. Add counters to a graph.

  3. Right-click the displayed graph and click Save As.

  4. In the Save As dialog box, select a path and type the name of the new HTML file. By default, this is stored on the root volume under My Documents.

Note:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • You can also import counter data from an HTML file to System Monitor or export all properties from System Monitor to an HTML file by means of the Windows Clipboard. Use the srv1327 button on the toolbar to transfer to the Windows Clipboard the counter properties currently displayed in System Monitor. Use the button in the toolbar to transfer properties from the Clipboard to the current window.

To insert the System Monitor control in a Microsoft Word document

  1. Open a Word document and place the insertion point where you want to insert the control.

  2. On the View menu, point to Toolbars and click Control Toolbox.

  3. Click the More Controls icon, and click System Monitor Control.

Notes:

  • The System Monitor control is inserted in the document at the location you selected. The control is currently in design mode, meaning that you can work with it using the Visual Basic editor. Notice that the control assumes the ambient properties of the application. That is, the control defaults to the BackColor, ForeColor, and Font settings for the Word document. To change these settings, or to add counters, click the Exit Design Mode icon to exit design mode.

  • After adding counters and configuring the graph according to your preferences, you can print the performance data or save the document using the appropriate commands provided by Microsoft Word.

  • Use Microsoft Word 97 or later.

To collect performance data using Windows Management Instrumentation (WMI)

  • At a command prompt, type

    mmc.exe perfmon.msc /s /sysmon_wmi

Notes:

  • This procedure obtains performance data by means of WMI instead of the registry.

  • You can also perform this procedure by typing

    perfmon.exe /wmi

Work with settings

  • Save a monitoring console

  • Save log or alert settings to an HTML page

  • Create a custom console

  • Use Windows NT 4.0 Performance Monitor settings files

To save a monitoring console

  1. Open Performance.

  2. Using System Monitor or a tool under Performance Logs and Alerts, configure the tool with the settings you want.

  3. On the Console menu, click Save As, and then type the name you want for this console. The default directory for storing this file is System32 on the root volume.

  4. Click Save.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To save log or alert settings as an HTML page

  1. Open Performance.

  2. Create a log or an alert.

  3. In the details pane, right-click the name of the log or the alert and click Save Settings As. By default, the settings are saved in the user's personal default directory; this is typically My Documents.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To create a custom monitoring console

  1. Open Microsoft Management Console (MMC).

  2. On the Console menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the snap-in list, click ActiveX Control, and then click Add.

  5. In the Insert ActiveX Control wizard, click Next.

    There is a short delay before the next dialog box appears; this is normal.

  6. In Control category, click All Categories.

  7. In Control Type, click System Monitor Control.

  8. Click Next.

    The System Monitor control provides the functionality of System Monitor.

  9. In Select a name for the ActiveX control, type a name for the control, and then click Finish.

Note:

  • To open MMC, click Start, click Run, and then type mmc.

  • Creating a custom console is useful if you want to have System Monitor hosted in the same console with Event Viewer or another tool.

To use Windows NT 4.0 Performance Monitor settings files

  • At a command prompt, type

    perfmon.exe file_name

    where file_name is the name of the settings file you want to use.

Notes:

  • This procedure will open a Windows 2000 Performance console configured with the settings from the Windows NT 4.0 Performance Monitor settings file.

  • This procedure works for the following types of Windows NT 4.0 Performance Monitor settings files: chart (.pmc), report (.pmr), alert (.pma), and log (.pml).

  • To display the Windows NT 4.0 settings file in System Monitor, the system temporarily converts the file for use with System Monitor but discards the converted version after the console starts. If you want to save the settings file for permanent use with System Monitor, type the following command:

    perfmon.exe /HTMLFILE: converted_file settings_file

    where converted_file is the name you are giving to the converted file and settings_file is the name of the original Windows NT 4.0 settings file.

Create and configure counter logs

  • Create a counter log

  • Add counters to a log

  • Get details about counters

  • Set file parameters for a log

  • Enable Network Segment counters

To create a counter log

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Counter Logs.

    Any existing logs will be listed in the details pane. A green icon indicates that a log is running; a red icon indicates that a log has been stopped.

  3. Right-click a blank area of the details pane, and click New Log Settings.

  4. In Name, type the name of the log, and then click OK.

  5. On the General tab, click Add. Select the counters you want to log.

  6. If you want to change the default file and schedule information, make the changes on the Log Files tab and the Schedule tab.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • To save the counter settings for a log file or alert file, right-click the file in the details pane and click Save Settings As. You can then specify an .htm file in which to save the settings. To reuse the saved settings for a new log or alert, right-click the details pane, and then click New Log Settings From or New Alert Settings From. This is an easy way to generate log settings from an alert configuration.

  • To create or modify a log, you must have Full Control permission for the following registry key, which controls the Performance Logs and Alerts service:

    HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \SysmonLog \Log Queries

    Administrators usually have this permission by default. Administrators can grant permission to users by using the Security menu in Regedt32.exe.

    To run the service (which runs in the background when you configure a log), you must have permission to start or otherwise configure services on the system. Administrators have this right by default and can grant it to users by using Group Policy.

    To log data on a remote computer, the Performance Logs and Alerts service must run under an account that has access to the remote system.

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information, see Registry Editor Help.

To add counters to a log

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Counter Logs.

  3. In the details pane, double-click the log you want to modify.

    On the General tab, click Add. For each counter or group of counters that you want to add to the log, perform the following steps:

    1. To log counters from the computer on which the Performance Logs and Alerts service will run, click Use local computer counters.

      Or, to log counters from a specific computer regardless of where the service is run, click Select counters from computer and specify the name of the computer you want to monitor.

    2. In Performance object, click an object to monitor.

    3. In Performance counters, click one or more counters to monitor.

    4. To monitor all instances of the selected counters, click All Instances. (Binary logs can include instances that are not available at log startup but subsequently become available.)

      Or, to monitor particular instances of the selected counters, click Select Instances From List, and then click an instance or instances to monitor.

    5. Click Add.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When creating a monitoring console for export, make sure to select Use local computer counters. Otherwise, counter logs will obtain data from the computer named in the text box, regardless of where the console file is installed.

  • For a description of a counter, click the counter in Performance counters and then click Explain.

  • To start network monitoring counters, see Enabling Network Segment counters.

  • Some object types have several instances. For example, if a system has multiple processors, the Processor object type will have multiple instances. The PhysicalDisk object type has two instances if a system has two disks. Some object types, such as Memory and Server, have only a single instance. If an object type has multiple instances, you can add counters to track statistics for each instance, or in many cases, for all instances at once. By default, counters are shown with both the instance name and an instance index. To turn off this feature, right-click the System Monitor graph, click Properties, and clear the Allow duplicate counter instances check box.

To get details about counters

  1. Open Performance.

  2. Right click the System Monitor details pane and click Add Counters.

  3. In Performance object, click an object.

  4. In Performance counters, click the counter for which you want information.

  5. Click Explain.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When working with System Monitor, you can match a line in a graph with the counter for which it is charting values. To do so, double-click a position in the line. The counter will be selected in the legend. If chart lines are close together, try to find a point in the graph where they diverge. Otherwise, System Monitor may have difficulty pinpointing the value you are interested in.

  • For more complete information about performance counters, see the Windows 2000 Performance Counter Reference (Counters.chm) on the Windows 2000 Resource Kit companion disc.

To set file parameters for a log

  1. Open Performance.

  2. Double-click Performance Logs and Alerts.

  3. To set file properties for a counter log, click Counter Logs.

    Or, to set file properties for a trace log, click Trace Logs.

  4. In the details pane, double-click the log.

    On the Log Files tab, complete the following options:

    • Log File Name. Select file-naming parameters using the following options.

      Option

      Description

      Location

      Type the name of the folder where you want the log file created, or click Browse to search for the folder.

      File name

      Type a partial or base name for the log file. You can use File name in conjunction with End file names with if appropriate.

      End file names with

      Select this and choose the suffix style you want from the list. Use End file names with to distinguish between individual log files with the same log file name that are in a group of logs that have been automatically generated.

      Start numbering at

      Set this to the start number for automatic file numbering, when you select nnnnnn as the End file names with.

    • Log file type. In the list, select the format you want for this log file.

Log file format

Description

Applies to

Text File-CSV

This option defines a comma-delimited log file (with a .csv extension). Use this format to export the log data to a spreadsheet program.

Counter logs

Text File-TSV

This option defines a tab-delimited log file (with a .tsv extension). Use this format to export the log data to a spreadsheet program.

Counter logs

Binary File

This option defines a sequential, binary-format log file (with a .blg extension). Use this file format if you want to be able to record data instances that are intermittent—that is, stopping and resuming after the log has begun running. Nonbinary file formats cannot accommodate instances that are not persistent throughout the duration of the log.

Counter logs

Binary Circular File

This option defines a circular, binary-format log file (with a .blg extension). Use this file format to record data continuously to the same log file, overwriting previous records with new data.

Counter logs

Circular Trace File

This option defines a circular trace log file (with an .etl extension). Use this file format to record data continuously to the same log file, overwriting previous records with new data.

Trace logs

Sequential Trace File

This option defines a sequential trace log file (with an .etl extension) that collects data until it reaches a user-defined limit and then closes and starts a new file.

Trace logs

  • Comment. If appropriate, type a comment or description for the log file. Log file size. Decide, using the following options, whether or not you want to limit the size of the log file:

    • Maximum limit. When you select this option, data is continuously collected in a log file until it reaches limits set by disk quotas or the operating system.

    • Limit of. To define a size limit for the log file, specify the maximum size. (For counter logs, specify the maximum size in kilobytes, up to two gigabytes. For trace logs, specify the maximum size in megabytes.) Select this option if you want to do circular logging. There is a

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • Windows generates an error message if available disk space falls below a specified minimum. If you choose to allow the file to grow to its maximum size, consider the available space on your disk and any quotas that may be in effect. An error might occur if you run out of disk space due to logging. The Log file size option works in conjunction with the When the log file is full option on the Schedule tab.

  • When you select a log file–size limit, the stop option When the log file is full reflects the size limit typed here.

  • The File name can identify a group of log files with similar parameters.

  • The End file names with suffix can be a numeric sequence or a character string indicating the date and time the log was started. For example, you might define the File name "DailyLog" and the Performance Logs and Alerts service would append the date as a suffix for each file so that you might have a series of files named as follows: DailyLog_010198, DailyLog_010298, for each day the log is run.

  • The comment text and the file name appear in the details pane in the Performance Logs and Alerts console window.

Enabling Network Segment counters

You must install the Network Monitor Driver in order to collect performance data using the Network Segment object counters. See To install the Network Monitor Driver for more information.

Create and configure trace logs

  • Create a trace log

  • Define trace providers and events

  • Define trace buffers

To create a trace log

  1. Open Performance.

  2. .Double-click Performance Logs and Alerts, and then click Trace Logs.

    Any existing logs will be listed in the details pane. A green icon indicates that the logs are running; a red icon indicates logs have been stopped.

  3. Right-click a blank area of the details pane, and click New Log Settings.

  4. In Name, type the name of the trace log you want to create, and then click OK.

    By default, the log file is created in the PerfLogs folder in your root directory, a sequence number is appended to the file name you entered, and the sequential trace file type with the .etl extension. Use the Log Files and Advanced tabs to modify these parameters or define other parameters for your log. To define providers and events to log, use the General tab. To specify when you want logging to occur, use the Schedule tab.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • To save the settings for a log file, right-click the file in the details pane, and click Save Settings As. You can then specify an .htm file in which to save the settings. To reuse the saved settings for a new log, right-click the details pane, and click New Log Settings From.

  • In order to create or modify a log configuration, you must have Full Control access to the following subkey in the registry:

    HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSetServices \SysmonLog \Log Queries

    In general, administrators have this access by default. Administrators can grant access to users using the Security menu in Regedt32.exe. In addition, to run the Performance Logs and Alerts service (which is installed by Setup and runs in the background when you configure a log to run), you must have the right to start or otherwise configure services on the system. Administrators have this right by default and can grant it to users by using Group Policy.

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information, see Registry Editor Help.

To define trace log providers and events

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Trace Logs.

  3. In the details pane, double-click the log.

  4. For a list of the installed providers and their status (enabled or not), click Provider Status. By default, the Nonsystem providers option is selected to keep trace-logging overhead to a minimum.

  5. If you click Events logged by system provider, a default provider (the Windows kernel trace provider) is used to monitor processes, threads, and other activity. To define events for logging, click the check boxes as appropriate.

  6. If you click Nonsystem providers, you can select the data providers you want —for example, if you have written your own providers. Use the Add or Remove buttons as needed.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • Trace logging of file details and page faults can generate an extremely large amount of data. It is recommended that you limit trace logging using the file details and page fault options to a maximum of two hours.

  • Only one instance of each trace provider can be enabled at any given time.

To define trace log buffers

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and click Trace Logs.

  3. In the details pane, double-click the log.

  4. Click the Advanced tab.

  5. In Buffer size, specify the size of the buffer you want to be used for trace data in kilobytes.

  6. In Minimum, specify the smallest number of buffers you want used for trace data.

  7. In Maximum, specify the largest number of buffers you want used for trace data.

  8. To have the trace provider periodically flush the buffers, select the Transfer data from buffers to log file every check box and specify the transfer interval in seconds.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

Create and configure alerts

  • Create an alert

  • Define counters and thresholds for an alert

  • Define actions for an alert

To create an alert

  1. Open Performance.

  2. .Double-click Performance Logs and Alerts, and then click Alerts.

    Any existing alerts will be listed in the details pane. A green icon indicates that the alerts are running; a red icon indicates alerts have been stopped.

  3. Right-click a blank area of the details pane and click New Alert Settings.

  4. In Name, type the name of the alert, and then click OK.

  5. To define a comment for your alert, along with counters, alert thresholds, and the sample interval, use the General tab. To define actions that should occur when counter data triggers an alert, use the Action tab, and to define when the service should begin scanning for alerts, use the Schedule tab.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • To save the counter settings for a log file or alert file, right-click the file in the details pane, and click Save Settings As. You can then specify an .htm file in which to save the settings. To reuse the saved settings for a new log or alert, right-click the details pane, and click New Log Settings From or New Alert Settings From. This is an easy way to generate log settings from an alert configuration.

  • You must have Full Control access to a subkey in the registry in order to create or modify a log configuration. The subkey is:

    HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \SysmonLog \Log Queries

    In general, administrators have this access by default. Administrators can grant access to users using the Security menu in Regedt32.exe. In addition, to run the Performance Logs and Alerts service (which is installed by Setup and runs in the background when you configure a log to run), you must have the right to start or otherwise configure services on the system. Administrators have this right by default and can grant it to users by using Group Policy.

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information, see Registry Editor Help.

To define counters and thresholds for an alert

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Alerts.

  3. In the details pane, double-click the alert.

  4. In Comment, type a comment to describe the alert as needed.

  5. Click Add.

    For each counter or group of counters that you want to add to the log, perform the following steps:

    1. To monitor counters from the computer on which the Performance Logs and Alerts service will run, click Use local computer counters.

      Or, to monitor counters from a specific computer regardless of where the service is run, click Select counters from computer and specify the name of the computer you want to monitor.

    2. In Performance object, click an object to monitor.

    3. In Performance counters, click one or more counters to monitor.

    4. To monitor all instances of the selected counters, click All Instances. (Binary logs can include instances that are not available at log startup but subsequently become available.)

      Or, to monitor particular instances of the selected counters, click Select Instances From List, and then click an instance or instances to monitor.

    5. Click Add.

  6. In Alert when the value is, specify Under or Over, and in Limit, specify the value that triggers the alert.

  7. In Sample data every, specify the amount and the unit of measure for the update interval.

  8. Complete the alert configuration using the Action and Schedule tabs.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When creating a monitoring console for export, be sure to select Use local computer counters. Otherwise, counter logs will obtain data from the computer named in the text box, regardless of where the console file is installed.

  • To start network monitoring counters, see Enabling Network Segment counters.

  • Some object types have several instances. For example, if a system has multiple processors, the Processor object type will have multiple instances. The PhysicalDisk object type has two instances if a system has two disks. Some object types, such as Memory and Server, have only a single instance. If an object type has multiple instances, you can add counters to track statistics for each instance, or in many cases, for all instances at once.

To define actions for an alert

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Alerts.

  3. In the details pane, double-click the alert.

  4. Click the Action tab.

  5. To have the Performance Logs and Alerts service create an entry visible in Event Viewer, select Log an entry in the application event log.

  6. To have the service trigger the messenger service to send a message, select Send a network message to and type the name of the computer on which the alert message should be displayed.

  7. To run a counter log when an alert occurs, select Start performance data log and specify the counter log you want to run.

  8. To have a program run when an alert occurs, select Run this program and type the file path and name or click Browse to locate the file. When an alert occurs, the service creates a process and runs the specified command file. The service also copies any command-line arguments you define to the command line that is used to run the file. Click Command Line Arguments and select the appropriate check boxes for arguments to include when the program is run.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

Work with logs and alerts

  • Start or stop a counter log, trace log, or alert

  • Remove counters from a log or alert

  • View or change properties of a log or alert

  • Define start or stop parameters for a log or alert

  • Delete a log or alert

To start or stop a counter log, trace log, or alert manually

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and click Counter Logs, Trace Logs, or Alerts.

  3. In the details pane, right-click the name of the log or alert you want to start or stop, and click Start to begin the logging or alert activity you defined, or click Stop to terminate the activity.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • There may be a slight delay before the log or alert starts or stops, indicated when the icon changes color (from green for started to red for stopped, and vice versa).

To remove counters from a log or alert

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Counter Logs or Alerts.

  3. In the details pane, double-click the name of the log or alert.

  4. Under Counters, click the counter you want to remove, and then click Remove.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

To view or change properties of a log or alert

  1. Open Performance.

  2. Double-click Performance Logs and Alerts.

  3. Click Counter Logs, Trace Logs, or Alerts.

  4. In the details pane, double-click the name of the log or alert.

  5. View or change the log properties as needed.

    Tool to modify

    Properties to define

    Tab to use

    Alerts

    Comment, counters, alert thresholds, and update interval

    General

    Alerts

    Actions to take when an event occurs: run a program, send a message, start a counter log, update the event log

    Action

    Counter logs

    Counter log counters and update interval

    General

    Counter logs

    Counter log file comment, file type, file size limits, path and name, automatic naming parameters

    Log Files

    Counter logs

    Manual or automated start and stop methods and schedule

    Schedule

    Trace logs

    Trace log providers and events to log

    General

    Trace logs

    Trace log comment, file size limits, path and name, automatic naming parameters

    Log Files

    Trace logs

    Trace log buffer size, limits, and transfer interval

    Advanced

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • To start or stop a log or alert, right-click its name in the details pane, and click Start or Stop as appropriate.

To define start or stop parameters for a log or alert

  1. Open Performance.

  2. Double-click Performance Logs and Alerts, and then click Counter Logs, Trace Logs, or Alerts.

  3. In the details pane, double-click the name of the log or alert.

  4. Click the Schedule tab.

    Under Start log, click one of the following options:

    • To start the log or alert manually, click Manually. When this option is selected, to start the log or alert, right-click the log name in the details pane, and click Start.

    • To start the log or alert at a specific time and date, click At, and then specify the time and date.

    Under Stop log, select one of the following options:

    • To stop the log or alert manually, click Manually. When this option is selected, to stop the log or alert, right-click the log or alert name in the details pane, and click Stop.

    • To stop the log or alert after a specified duration, click After, and then specify the number of intervals and the type of interval (days, hours, and so on).

    • To stop the log or alert at a specific time and date, click At, and then specify the time and date. (The year box accepts four characters; the others accept two characters.)

      To stop a log when the log file becomes full, select options as follows:

      • For counter logs, click When the log file is full. The file will continue to accumulate data according to the file-size limit you set on the Log Files tab (in kilobytes up to two gigabytes).

      • For trace logs, click When the n -MB log file is full. The file will continue to accumulate data according to the file-size limit you set on the Log Files tab (in megabytes).

      When setting this option, take into consideration your available disk space and any disk quotas that are in place. An error might occur if your disk runs out of disk space due to logging.

    Complete the properties as appropriate for logs or alerts:

    • For logs, under When a log file closes, select the appropriate option:

      • If you want to configure a circular (continuous, automated) counter or trace logging, select Start a new log file.

      • If you want to run a program after the log file stops (for example, a copy command for transferring completed logs to an archive site), select Run this command. Also type the path and file name of the program to run, or click Browse to locate the program.

    • For alerts, under When an alert scan finishes, select Start a new alert scan if you want to configure continuous alert scanning.

Notes:

  • To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

  • When you schedule a log to close at a specific time and date or close the log manually, the Start a new log file option is unavailable.

To delete a log or alert

  1. Open Performance.

  2. .Double-click Performance Logs and Alerts.

  3. Click Counter Logs, Trace Logs, or Alerts.

  4. In the details pane, right-click the name of the log or alert, and click Delete.

Note: To open Performance, click Start, point to Programs, point to Administrative Tools, and then click Performance.

Concepts

This section provides general background information about Windows 2000 performance monitoring tools:

  • Introduction to Performance

  • Understanding Performance

  • Using Performance

  • Resources

Introduction to Performance

Windows 2000 provides the following tools for monitoring resource usage on your computer:

  • System Monitor

  • Performance Logs and Alerts

Monitoring system performance is an important part of maintaining and administering your Windows 2000 installation. You use performance data to:

  • Understand your workload and the corresponding effect on your system's resources.

  • Observe changes and trends in workloads and resource usage so you can plan for future upgrades.

  • Test configuration changes or other tuning efforts by monitoring the results.

  • Diagnose problems and target components or processes for optimization.

System Monitor and Performance Logs and Alerts provide detailed data about the resources used by specific components of the operating system and by server programs that have been designed to collect performance data. The graphs provide a display for performance-monitoring data; logs provide recording capabilities for the data. Alerts send notification to users by means of the Messenger service when a counter value reaches, rises above, or falls below a defined threshold.

Microsoft technical support often uses the results of performance monitoring in problem diagnosis. Therefore, Microsoft recommends that you monitor system performance as part of your administrative routine.

Note: Task Manager is another tool that provides performance information about systems running Windows 2000. Task Manager presents a snapshot of programs and processes that are running on your computer, plus a summary of its processor and memory usage. For information about Task Manager, see Task Manager Help.

For overviews of the performance monitoring tools, see:

  • System Monitor overview

  • Performance Logs and Alerts overview

System Monitor overview

With System Monitor, you can measure the performance of your own computer or other computers on a network:

  • Collect and view real-time performance data on a local computer or from several remote computers.

  • View data collected either currently or previously in a counter log.

  • Present data in a printable graph, histogram, or report view.

  • Incorporate System Monitor functionality into Microsoft Word or other applications in the Microsoft Office suite by means of Automation.

  • Create HTML pages from performance views.

  • Create reusable monitoring configurations that can be installed on other computers using Microsoft Management Console.

With System Monitor, you can collect and view extensive data about the usage of hardware resources and the activity of system services on computers you administer. You can define the data you want the graph to collect in the following ways:

  • Type of data. To select the data to be collected, you specify performance objects, performance counters, and object instances.

    Some objects provide data on system resources (such as memory); others provide data on the operation of applications (for example, system services or Microsoft BackOffice applications running on your computer).

  • Source of data. System Monitor can collect data from your local computer or from other computers on the network where you have permission. (By default, administrative permission is required.) In addition, you can include real-time data or data collected previously using counter logs.

  • Sampling parameters. System Monitor supports manual, on-demand sampling or automatic sampling based on a time interval you specify. When viewing logged data, you can also choose starting and stopping times so that you can view data spanning a specific time range.

In addition to options for defining data content, you have considerable flexibility in designing the appearance of your System Monitor views:

  • Type of display. System Monitor supports graph, histogram, and report views. The graph view is the default view; it offers the widest variety of optional settings.

    Display characteristics. For any of the three views, you can define the colors and fonts for the display. In graph and histogram views, you can select from many different options when you view performance data:

    • Provide a title for your graph or histogram and label the vertical axis.

    • Set the range of values depicted in your graph or histogram.

    • Adjust the characteristics of lines or bars plotted to indicate counter values, including color, width, style, and so on.

    You can further extend use of System Monitor by incorporating its functionality into Microsoft Word or other Microsoft applications by means of Automation.

For more information about the performance monitoring process, see Introduction to Performance.

For more information about the System Monitor user interface, see System Monitor interface.

Performance Logs and Alerts overview

With Performance Logs and Alerts you can collect performance data automatically from local or remote computers. You can view logged counter data using System Monitor or export the data to spreadsheet programs or databases for analysis and report generation. Performance Logs and Alerts offers the following capabilities:

  • Performance Logs and Alerts collects data in a comma-separated or tab-separated format for easy import to spreadsheet programs. A binary log-file format is also provided for circular logging or for logging instances such as threads or processes that may begin after the log starts collecting data. (Circular logging is the process of continuously logging data to a single file, overwriting previous data with new data.)

  • Counter data collected by Performance Logs and Alerts can be viewed during collection as well as after collection has stopped.

  • Because logging runs as a service, data collection occurs regardless of whether any user is logged on to the computer being monitored.

  • You can define start and stop times, file names, file sizes, and other parameters for automatic log generation.

  • You can manage multiple logging sessions from a single console window.

  • You can set an alert on a counter, thereby defining that a message be sent, a program be run, or a log be started when the selected counter's value exceeds or falls below a specified setting.

Similar to System Monitor, Performance Logs and Alerts supports defining performance objects, performance counters, and object instances, and setting sampling intervals for monitoring data about hardware resources and system services. Performance Logs and Alerts also offers other options related to recording performance data:

  • Start and stop logging either manually on demand, or automatically based on a user-defined schedule.

  • Configure additional settings for automatic logging, such as automatic file renaming, and set parameters for stopping and starting a log based on the elapsed time or the file size.

  • Create trace logs. Using the default system data provider or another provider, trace logs record data when certain activities such as a disk I/O operation or a page fault occur. When the event occurs, the provider sends the data to the Performance Logs and Alerts service. This differs from the operation of counter logs; when counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event. A parsing tool is required to interpret the trace log output. Developers can create such a tool using application programming interfaces (APIs) provided on the Microsoft Web site (http://msdn.microsoft.com/ ).

  • Define a program that runs when a log is stopped.

Notes:

  • If you want to export log data to Microsoft Excel, the Performance Logs and Alerts service must be stopped because Microsoft Excel requires exclusive access to the log file. Other programs are not known to require this exclusive access; therefore, in general you can work with data from a log file while the service is collecting data to that file.

  • For more information about the Performance Logs and Alerts user interface, see Performance Logs and Alerts interface.

Understanding Performance

This section describes the design and operation of System Monitor and Performance Logs and Alerts:

  • Performance objects and counters

  • Performance tool architecture

  • Performance monitoring in Windows NT 4.0 and Windows 2000

Performance objects and counters

Windows 2000 obtains performance data from components in your computer. As a system component performs work on your system, it generates performance data. That data is described as a performance object and is typically named for the component generating the data. For example, the Processor object is a collection of performance data about processors on your system.

A range of performance objects are built into the operating system, typically corresponding to the major hardware components such as memory, processors, and so on; other programs may install their own performance objects. For example, services such as WINS or server programs such as Microsoft Exchange provide performance objects, and performance graphs and logs can monitor these objects.

Each performance object provides counters that represent data on specific aspects of a system or service. For example, the Pages/sec counter provided by the Memory object tracks the rate of memory paging.

Although your system may typically make available many more objects, the default objects you'll use most frequently to monitor system components are:

  • Cache

  • Memory

  • Objects

  • Paging File

  • PhysicalDisk

  • Process

  • Processor

  • Server

  • System

  • Thread

The following services or features of Windows 2000 that you may be using in your configuration provide performance objects.

Feature or service to monitor

Performance object available

TCP/IP

ICMP, IP, NBT, TCP, and UDP objects

NetBEUI

NetBEUI and NetBEUI resource objects

Browser, Workstation, and Server services

Browser, Redirector, and Server objects

QoS Admission Control

ACS/RSVP Service and Interface objects

Windows Internet Name Service (WINS)

WINS object

Connection Point Services

PBServer Monitor object

Indexing Service

Indexing Service, Indexing Service Filter, and Http Indexing Service objects

Directory service

NTDS object

Print server activity

Print queue object

For a description of the data provided by a particular counter associated with a performance object, click Explain in the Add Counters dialog box. For information about adding counters, see To add counters to System Monitor.

Although some objects (such as Memory and Server) have only a single instance, some performance objects can have multiple instances. If an object has multiple instances, you can add counters to track statistics for each instance, or for all instances at once.

Depending on how the counter was defined, its value may be:

  • The most recent measurement of an aspect of resource utilization. These are also called instantaneous counters.

    An example is Process\ Thread Count, which shows the number of threads for a particular process as of the last time this was measured.

  • The average of the last two measurements over the period between samples. (Because counters are never cleared, this is actually an average of the difference between the measurements.)

    An example is Memory\ Pages/sec, a rate per second based on the average number of memory pages during the last two samples.

    Other counter types can be defined as described in the Platform Software Development Kit.

The combination of computer name, object, counter, instance, and instance index is known as the counter path. Counter path is typically shown in the tools as follows:

Computer_name\Object_name(Instance_name#Index_Number)\Counter_name

Performance tool architecture

Various levels of the Windows architecture support operation of System Monitor and Performance Logs and Alerts. For example, the performance tools obtain data by default by means of the registry. You may optionally collect data by means of the Windows Management Instrumentation (WMI) interface for hardware resources or applications installed on the system. The Performance Data Helper dynamic-link library (DLL) acts as an intermediary between the WMI and the performance tools to format the data and make calculations, where necessary, to convert raw data for display or reporting. For information about configuring performance tools to collect data using WMI, see To collect performance data using WMI.

DLLs supplied by the operating system provide counters for monitoring the behavior of resources such as memory, processors, disks, and network adapters and protocols. In addition, many Windows services and BackOffice applications provide their own DLLs that install counters that you can use to monitor their operation.

System Monitor and Performance Logs and Alerts use the Remote Registry service process that manages user logon and logoff operations for remote monitoring connections. In addition, they use the Messenger service in Windows for sending users alert notification. (This service must be running for alert notifications to be received.)

Performance monitoring in Windows NT 4.0 and Windows 2000

The enhanced features of System Monitor and Performance Logs and Alerts replace the functionality of the Windows NT 4.0 Performance Monitor. You can use these tools to open settings files created in Windows NT 4.0 Performance Monitor.

The Windows 2000 Resource Kit provides the Windows NT 4.0 version of Performance Monitor (perfmon4.exe).

Using the performance tools

This section covers:

  • Setting up a monitoring configuration

  • Quick reference to System Monitor settings

  • System Monitor toolbar reference

  • System Monitor interface

  • Performance Logs and Alerts interface

  • Analyzing performance data

  • Solving performance problems

  • Evaluating trends and planning for additional resources

Setting up a monitoring configuration

Setting up a monitoring configuration is the first step in evaluating your system's performance. To monitor your Windows 2000 installation, you can choose to view data in a graph or collect the data in log files for use in other applications.

Note: For best results, read the following sections for setting up your monitoring configuration. However, to get started quickly, you can use the predefined log settings under Counter Logs. These settings, named System Overview, are configured to create a binary log that, after manual start-up, updates every 15 seconds and logs continuously until it achieves a maximum size. If you start logging with these settings, data is saved to the Perflogs folder on the root directory and includes the counters: Memory\ Pages/sec, PhysicalDisk(_Total)\Avg. Disk Queue Length, and Processor(_Total)\ % Processor Time.

Choosing the monitoring method

Graphs are useful for short-term, real-time monitoring of a local or remote computer — for example, when you want to observe a system event while it's happening. Choose the update interval so as to capture the type of activity you are interested in. Logs are useful for record keeping and for extended monitoring, especially of a remote computer; logged data can be exported for report generation and presented as graphs or histograms using System Monitor. Logging is the most practical way to monitor multiple computers.

Choosing how often to monitor

For routine monitoring, start by logging activity over 15-minute intervals. If you are monitoring for a specific problem, you might want to vary the interval. If you are monitoring activity of a specific process at a specific time, set a frequent update interval; however, if you are monitoring a problem that manifests itself slowly, such as a memory leak, use a longer interval.

Also consider the overall length of time you want to monitor when choosing this interval. Updating every 15 seconds is reasonable if you'll be monitoring for no more than four hours. If you'll be monitoring a system for eight hours or more, don't set an interval shorter than 300 seconds (five minutes). Setting the update interval to a frequent rate (low value) can cause the system to generate a large amount of data, which can be difficult to work with and can increase the overhead of running Performance Logs and Alerts.

Monitoring a large number of objects and counters can also generate large amounts of data and consume disk space. Try to strike a balance between the number of objects you monitor and the sampling frequency to keep log file size within manageable limits.

If you prefer to maintain a long update interval when logging, you can still view data fluctuations that occur between those intervals. To do so, see To use logged data for information about manipulating time ranges within logs.

Choosing what data to monitor

Start by monitoring the activity of the following components in order:

  • Memory

  • Processors

  • Disks

  • Network

The following table shows the minimum counters recommended for server monitoring. When examining specific resources, you should include other counters for the associated performance object.

Component

Performance aspect being monitored

Counters to monitor

Disk

Usage

Physical Disk\ Disk Reads/sec
Physical Disk\ Disk Writes/sec
LogicalDisk\ % Free Space
Interpret the % Disk Time counter carefully. Because the _Total instance of this counter may not accurately reflect utilization on multiple-disk systems, it is important to use the % Idle Time counter as well. Note that these counters cannot display a value exceeding 100%.

Disk

Bottlenecks

Physical Disk\ Avg. Disk Queue Length (all instances)

Memory

Usage

Memory\ Available Bytes
Memory\ Cache Bytes

Memory

Bottlenecks or leaks

Memory\ Pages/sec
Memory\ Page Reads/sec
Memory\ Transition Faults/sec
Memory\ Pool Paged Bytes
Memory\ Pool Nonpaged Bytes
Although not specifically Memory object counters, the following are also useful for memory analysis:
Paging File\ % Usage object (all instances)
Cache\ Data Map Hits %
Server\ Pool Paged Bytes and Server\Pool Nonpaged Bytes

Network

Usage

Network Segment\ % Net Utilization
Note that you must install the Network Monitor driver for Network Monitor in order to use this counter.

Network

Throughput

Protocol transmission counters (varies with networking protocol); for TCP/IP:
Network Interface\ Bytes total/sec
Network Interface\ Packets/sec
Server\ Bytes Total/sec or Server\ Bytes Transmitted/sec and Server\ Bytes Received/sec
You may want to monitor other objects for network and server throughput as described in Monitoring network activity.

Processor

Usage

Processor\ % Processor Time (all instances)

Processor

Bottlenecks

System\ Processor Queue Length (all instances)
Processor\ Interrupts/sec
System\Context switches/sec

If some of the counters listed in the preceding table are not available on your computer, verify that you have installed the necessary services or activated the counters. See To enable Network Segment counters for instructions for activating the Network Segment object counters provided by Network Monitor.

Note: Unlike physical-disk counter data, logical-disk counter data is not collected by the operating system by default. To obtain performance counter data for logical drives or storage volumes, you must type diskperf -yv at the command prompt. This causes the disk performance statistics driver used for collecting disk performance data to report data for logical drives or storage volumes. By default, the operating system uses the diskperf -yd command to obtain physical drive data. For more information about using the diskperf command, type diskperf -? at the command prompt.

Choosing the computer to use for monitoring

When monitoring computers remotely, you have some options for how to collect data. For example, you could run performance logging on the administrator's computer, drawing data continuously from each remote computer. In another case, you could have each computer running the service to collect data and, at regular intervals, run a batch program to transfer the data to the administrator's computer for analysis and archiving.

Centralized data collection (that is, collection on a local computer from remote computers that you are monitoring) is simple to implement because only one logging service is running. You can collect data from multiple systems into a single log file. However, it causes additional network traffic and may be restricted by available memory on the administrator's computer. To do centralized data collection, use the Add Counters dialog box to select a remote computer while running System Monitor on your local computer.

Distributed data collection (that is, data collection that occurs on the remote computers you are monitoring) does not incur the memory and network traffic problems of centralized collection. However, it does result in delayed availability of the data, requiring that the collected data be transferred to the administrator's computer for review. To do distributed data collection, use Computer Management on a local computer to select a remote computer on which to collect data.

When monitoring remote computers, note that the remote computer will only allow access to user accounts that have permission to access it. In order to monitor remote systems from your computer, you must start the Performance Logs and Alerts service using an account that has permission to access the remote computers you want to monitor. By default, the service is started under the local computer's "system" account, which generally has permission only to access services and resources on the local computer. To start this under a different account, use Services under Computer Management and update the properties of the Performance Logs and Alerts service.

Keeping records of performance data

When you retain your logged data in a database, you can query the information and include it in reports. Using database analysis tools, you can query results and examine the results in detail using a variety of parameters. You can also use logs for trend analysis and capacity planning.

Exporting your monitoring configuration

After configuring the performance tools with the counters, update intervals, and other settings you want, you can save those settings on your local computer or for export to another computer. If you save the settings under the name Perfmon.msc, note that you are permanently changing the configuration of the tools on the computer. Therefore, it is recommended that you save the file under another name.

In addition to saving monitoring settings, you can add other tools or add multiple copies of System Monitor, for example, if you want to monitor graph and report views simultaneously. For information about adding tools to a console, see To create a custom monitoring console.

Quick Reference to System Monitor settings

For all of the following settings, start by right-clicking the System Monitor details pane and clicking Properties.

To add or change this

Use this tab

View type: graph, histogram, or report

General

Objects, counters, and instances (add or delete)

Data
Note: You can also add counters by right-clicking the details pane and clicking Add Counters or by clicking the srv1312 button on the toolbar. To delete counters, use the Remove button on the Data tab, the DELETE key on the keyboard, or the srv1313 button on the toolbar. To remove all counters and specify new ones, click the srv1303 button on the toolbar.

Source of data displayed: current data input to the graph, current data input from a log, archived data input from a log

Source
Note: You can also use the srv1315 button on the toolbar to use a log file as the data source or srv1314 to view real-time data.

Time range for a log and view time range

Source

Update frequency

General
Note: You can also use the srv1305 and srv1306 buttons on the toolbar to take samples manually.

Report or histogram value type(minimum, maximum, average)

General

Display of counter legend

General

Display of last, minimum, and maximum values for a selected counter (the value bar); allow multiple counter instances

General

Color, width, style, or graph line

Data

Scale of counter data values

Data

Background color of results pane surrounding the graph area, color of graph data-display area

Colors

Title of graph

Graph

Label on value axis, vertical or horizontal grid lines, and upper and lower limits of graph axes

Graph

Font color in graph display or legend

Colors

Font type, size, and style

Fonts

Grid color, timer bar color

Colors

Border style, appearance of graph window

General

Toolbar

General

Note: Using report value types other than Current when monitoring real-time data incurs substantial overhead because of the need to make calculations across all samples for each value displayed.

System Monitor toolbar reference

The System Monitor toolbar contains buttons for easy access to commonly used functions. The following table associates buttons with their corresponding functions.

Button

Function

 

srv1303

New Counter Set

 

srv1304

Clear Display

 

srv1314

View Current Data

 

srv1315

View Log File Data

 

srv1321

View Graph

 

srv1308

View Histogram

 

srv1309

View Report

 

srv1312

Add

 

srv1313

Delete

 

srv1311

Paste Counter List

 

srv1310

Copy Properties

 

srv1316

Properties

 

srv1305

Freeze Display

 

srv1306

Update Data

System Monitor interface

When you open Performance, the graph view and a toolbar appear by default and the graph area is blank. When you have added counters to the graph, after a short delay (depending on the time you select for the update interval), System Monitor will begin charting counter values in this graph area. You can choose to have data updated automatically or on demand; for updating on-demand, use the srv1306 button to start and stop the collection intervals. Click the button to remove all data from the display.

The names and associated information for the counters you select are shown in the columns beneath the graph. This is called the legend. The legend shows the following information:

  • Computer on which System Monitor is running.

  • Performance object.

  • Performance counter.

  • Performance object instance. Note that by default counter instances are listed by name and numerical index. This index appears after the instance name, represented by a pound sign (#) and a number. This index makes it easier to monitor multiple instances, for example, when you are monitoring threads of a process. To turn off the index display, right-click the graph, click Properties, and clear the Allow duplicate counter instances check box.

  • Graphical properties of each counter.

Note: To match a line in a graph with the counter for which it is charting values, double-click a position in the line. The counter will be selected in the legend. If chart lines are close together, try to find a point in the graph where they diverge. Otherwise, System Monitor may not be able to pinpoint the value you are interested in.

Above the columns is the value bar, where you see the last, minimum, maximum, and average values for the counter that is currently selected. These values are calculated over the time period and number of samples displayed in the graph (reflected by the Duration value), not over the time that has elapsed since monitoring was started. The Duration value in the value bar indicates the total elapsed time displayed in the graph (based on the update interval). The movement of the timer bar across the graph indicates the passing of each update interval. Regardless of the update interval, the view will show up to 100 samples. System Monitor compresses log data as necessary to fit it in the display. To see the compressed data in a log, right-click the graph, click Properties, and select a shorter time range on the Source tab. Shorter time ranges contain less data, so it is less likely that data points will be eliminated.

You can define the attributes of the graph:

  • Type of display, with options for graph, histogram, or report

  • Background color of the detail pane and of the data-display area

  • Size, type, and style of font used to show text in the display

  • Color, width, and style of line used to chart data

To draw attention to a particular counter's data, use the highlighting feature. To do so, press CTRL+H or click the srv1307 button on the toolbar. When highlighting is in effect, the bar or line representing data for the selected counter changes color to white for most background colors (including the default color) or black for white or light-colored backgrounds.

Note: Default key settings in Microsoft Word may conflict with the CTRL+H combination used for System Monitor highlighting. You may need to change these to support highlighting when the System Monitor control (Sysmon.ocx in the system_root\System32 folder) is used in Microsoft Word.

Clicking Object, Counter, Instance, or Computer in the counter legend sorts entries in ascending or descending order for that category. For example, to sort all counters by name, click Counter.

For more information, see Quick reference to System Monitor settings

Performance Logs and Alerts interface

In Performance Logs and Alerts you define settings for counter logs, trace logs, and alerts. The details pane of the console window shows logs and alerts that you have created. You can define multiple logs or alerts to run simultaneously. Each log or alert is a saved configuration that you define. If you have configured the log for automatic starting and stopping, a single log can generate many individual log data files. For example, if you were generating a log file for each day's activity, one file would close at 11:59 P.M. today, and a new file would open at 12:00 A.M. tomorrow. The following table explains the query summary information provided by the columns in the details pane.

Column

Description

Name

This is the name of the log or alert. Think of this as a "friendly name," describing the type of data you are collecting or the condition you are monitoring. One log can generate multiple log files.
Note: Sample settings, named System Overview, have been predefined for counter logging. You can start logging using these settings or define your own settings, as appropriate.

Comment

This can be any descriptive information about the log or alert.

Log File Type

This is the log-file format you define. For alert, the type will always be alerts; for trace logs, it will always be sequential. For logs, this can be binary, binary circular, text-CSV (for comma-delimited text) or text-TSV (for tab-delimited text).

Log File Name

This is the path and base file name you defined for the files generated by this log. The base file name is used for automatically naming new files.

To see the parameters defined for each log, double-click the list entry for the log. In the dialog box that appears, you can choose how to name your log files, when logging is scheduled to occur, and what performance objects and counters you want to monitor in your log.

If a log is currently running and collecting data (based on the schedule you defined for the log or alert), a green data icon appears next to the log or alert. If a red icon appears, the log or alert has been defined but is not currently running.

Note: You can configure more than one type of log to run at a time. One log can generate multiple log files if the restart option is selected, or if the user starts and stops the log multiple times. However, you will not see these individual log files listed in the console window. Use Windows Explorer to view a listing of these files.

Analyzing performance data

Analyzing your monitoring data consists of examining counter values that are reported while your system is performing various operations. During this process you should determine which processes are most active and which programs or threads, if any, are monopolizing a resource. Using this type of performance-data analysis, you can understand how your system is responding to workload demands.

As a result of this analysis, you may find that your system performs satisfactorily at some times and unsatisfactorily at others. Depending on the causes of these variations and the degree of difference, you may choose to take corrective action or to accept these variations and delay tuning or upgrading resources to a later time.

The level of system performance that you consider acceptable when your system is handling a typical workload and running all required services is its baseline. The baseline performance is a subjective standard that the administrator determines based on the work environment. It may correspond to a range of counter values, including some that are temporarily unacceptable, but which generally indicate the best possible performance under the administrator's specific conditions. The baseline can be the measure used for setting performance expectations of your users and can be included in any service agreements you put in place.

Analyzing performance data includes:

  • Determining acceptable values for counters

  • Understanding variations in performance data

Determining acceptable values for counters

In general, deciding whether or not performance is acceptable is a subjective judgment that varies significantly with variations in user environments. The values you establish as the baselines for your organization are the best basis for comparison. Nevertheless, the following table containing threshold values for specific counters can help you determine whether values reported by your computer indicate a problem. If System Monitor consistently reports these values, it is likely that bottlenecks exist on your system and you should take action to tune or upgrade the affected resource.

Resource

Object\ Counter

Suggested threshold

Comments

Disk

PhysicalDisk\ % Disk Time

90%

 

Disk

PhysicalDisk\ Disk Reads/sec, PhysicalDisk\ Disk Writes/sec

Depends on manufacturer's specifications

Check the specified transfer rate for your disks to verify that this rate doesn't exceed the specifications. In general, Ultra Wide SCSI disks can handle 50 I/O operations per second.

Disk

Physical Disk\ Current Disk Queue Length

Number of spindles plus 2

This is an instantaneous counter; observe its value over several intervals. For an average over time, use Physical Disk\ Avg. Disk Queue Length.

Memory

Memory\ Available Bytes

Less than 4 MB

Research memory usage and add memory if needed.

Memory

Memory\ Pages/sec

20

Research paging activity.

Network

Network Segment\ % Net Utilization

Depends on type of network

You must determine the threshold based on the type of network you are running. For Ethernet networks, for example, 30% is the recommended threshold.

Paging File

Paging File\ % Usage

99%

Review this value in conjunction with Available Bytes and Pages/sec to understand paging activity on your computer.

Processor

Processor\ % Processor Time

85%

Find the process that is using a high percentage of processor time. Upgrade to a faster processor or install an additional processor.

Processor

Processor\ Interrupts/sec

Depends on processor.

A dramatic increase in this counter value without a corresponding increase in system activity indicates a hardware problem. Identify the network adapter causing the interrupts.

Server

Server\ Bytes Total/sec

 

If the sum of Bytes Total/sec for all servers is roughly equal to the maximum transfer rates of your network, you may need to segment the network.

Server

Server\ Work Item Shortages

3

If the value reaches this threshold, consider tuning InitWorkItems or MaxWorkItems in the registry (under HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer). For information about modifying the registry, see Registry Editor Help
Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Server

Server\ Pool Paged Peak

Amount of physical RAM

This value is an indicator of the maximum paging file size and the amount of physical memory.

Server

Server Work Queues\ Queue Length

4

If the value reaches this threshold, there may be a processor bottleneck. This is an instantaneous counter; observe its value over several intervals.

Multiple Processors

System\ Processor Queue Length

2

This is an instantaneous counter; observe its value over several intervals.

For tuning and upgrade suggestions, see Solving performance problems.

Understanding variations in performance data

The following considerations may help you understand performance variations that you observe:

  • Resource usage can vary dramatically based on the work being done at various times of day.

  • Counters that show usage ratios over an interval are a more informative measurement than averages of instantaneous counter values because averages can include data for service startup or other events that can cause the numbers to go far out of range for a brief period, thereby skewing the results.

Solving performance problems

Analysis of your monitoring data may reveal problems such as excessive demand on certain resources resulting in bottlenecks. This section discusses common causes for bottlenecks and a recommended strategy for tuning and testing.

Causes of bottlenecks

Demand may become extreme enough to cause resource bottlenecks for the following reasons:

  • Resources are insufficient and additional or upgraded components are required.

  • Resources are not sharing workloads evenly and need to be balanced.

  • A resource is malfunctioning and needs to be replaced.

  • A program is monopolizing a particular resource; this may require substituting another program, having a developer rewrite the program, adding or upgrading resources, or running the program during periods of low demand.

  • A resource is incorrectly configured and configuration settings should be changed.

Strategy for tuning and testing

The table of threshold values that is presented in Determining acceptable values for counters helps to isolate the performance problem by resource. Find the tuning and upgrade discussion related to your specific problem in one of the following topics:

  • Monitoring and tuning memory usage

  • Monitoring processor activity

  • Monitoring disk activity

  • Monitoring network activity

  • Monitoring Windows 2000 services

  • Monitoring legacy programs

Lack of memory is by far the most common cause of serious performance problems in computer systems. If you suspect other problems, check memory counters to rule out a memory shortage. Poor response time on a workstation is most likely to result from memory and processor problems; servers are more susceptible to disk and network problems.

Before you start tuning, consider the following recommendations:

  • Make one change at a time. In some cases, a problem that appears to relate to a single component may be the result of bottlenecks involving multiple components. For this reason, it is important to address problems individually.

    Making multiple changes simultaneously may make it impossible to assess the impact of each individual change.

  • Repeat monitoring after every change. This is important for understanding the effect of the change and to determine whether additional changes are required. Proceed methodically, making one change to the identified resource at a time and then testing the effects of the changes on performance. Because tuning changes can affect other resources, it's important to keep records of the changes you make and to remonitor after you make a change.

  • In addition to monitoring, review event logs, because some performance problems generate output you can display in Event Viewer. For information about using Event Viewer, see Event Viewer Help.

  • To see whether network components are playing a part in performance problems, compare the performance of programs that run over the network with locally run programs.

Tuning and upgrade tips by component

This section lists tuning tips for resources you are monitoring:

  • Memory:

    • Increase physical memory above the minimum required.

    • Create multiple paging files.

    • Determine the correct size for the paging file.

    • Ensure that memory settings are properly configured as described in Making sure you have enough memory.

    • Run memory-intensive programs on your highest-performing computers or when system workload is light.

  • Disk:

    • Upgrade to a higher-speed disk, or add disks. When you do this, upgrade the disk controller and the bus.

    • On servers, use Disk Management to create striped volumes on multiple physical disks. This solution increases throughput because I/O commands can be issued concurrently.

    • Distribute programs among servers. Distributed File System (Dfs) can be used to balance workload.

    • Isolate tasks that heavily utilize disk I/O on separate physical disks or disk controllers.

    • Use Disk Defragmenter to optimize disk space.

    • If you want to improve the efficiency of disk access, consider installing the latest driver software for your host adapters. Contact your adapter manufacturer for information.

  • Processor:

    • Add a processor (especially for multithreaded programs), or upgrade to a faster processor.

    • On multiprocessor computers, manage the processor affinity with respect to process threads and interrupts.

  • Network:

    • Configure your network so that systems shared by the same group of people are on the same subnet.

    • Unbind infrequently used network adapters. See To modify the protocol bindings order for more information.

      If you are using more than one protocol, you can set the order in which the workstation and NetBIOS software bind to each protocol. See Network and Dial-up Connections Help for more information. Some reasons for changing the list order are:

      • If the protocol you use most frequently is first in the binding list, average connection time decreases.

      • Some protocols are faster than others for certain network topologies. If you are optimizing a client computer, putting the faster protocol first in the bindings list improves performance. Because the server accepts incoming connections using the protocol chosen by the client computer, there is no reason to reorder server computer bindings.

    • Install a high-performance network adapter in the server. If your server uses a 16-bit adapter, you can significantly increase performance by replacing it with a high-performance 32-bit adapter.

    • Use multiple network adapters. Windows 2000 supports multiple adapters for a given protocol and multiple protocols for a given adapter. Although this configuration can create distinct networks that cannot communicate with one another, it is a way to increase file-sharing throughput.

Solving performance problems includes:

  • Monitoring and tuning memory usage

  • Monitoring processor activity

  • Monitoring disk activity

  • Monitoring network activity

  • Monitoring Windows 2000 services

  • Monitoring legacy programs

Monitoring and tuning memory usage

Monitoring and tuning memory usage includes:

  • Watching how programs use system resources

  • Making sure you have enough memory

Watching how programs use system resources

Because processor and memory resources have such a significant influence on the operation of your computer, it is important to understand how programs use these resources. This topic describes how observing certain counters in the System Monitor graph display can help you learn about processor and memory usage by programs. Start by working with the Process\ % Processor Time and Process\ Working Set counters:

  • % Processor Time. The percentage of elapsed time that a processor is busy executing all threads for a particular process. (Notice that % Processor Time is high for the Idle process when the system is not busy.)

  • Working Set. The current number of physical memory bytes used by or allocated to a process. This value can be larger than the minimum number of bytes actually needed by the process. It may reflect physical bytes that are shared by multiple processes.

Using these counters, you can graph some or all of the programs running on a computer, as shown in the following example, charting processor usage by System Monitor (shown as the MMC process).

Bb742517.srv1317(en-us,TechNet.10).gif

Notice that, at program startup, the Process\ % Processor Time values climb sharply for each program, decrease, and then level off. It's important to be aware that processor usage spikes at program startup; you may want to omit temporarily high startup values from your monitoring data to obtain a more accurate picture of typical processor usage by your programs.

After startup, the graph should show increases in processor activity as the programs perform some activity — for example, as System Monitor reads a new set of counter values. You can observe this by changing the update interval for System Monitor. Notice that, if System Monitor is configured with a short update interval, it will read data more frequently and generate more processor activity by System Monitor. A longer update interval will generate less processor activity.

Monitoring memory-counter values for programs provides a similar illustration of how programs make demands on system resources and how those resources respond. For every program running on a computer, the operating system allocates a portion of physical memory. This is called the working set. Even if the program is not generating any activity, the operating system allocates memory for the program's working set.

The working-set value is of particular interest when the Memory\ Available Bytes counter falls below a certain threshold. Windows 2000 satisfies the memory requirements of programs by using free (available) bytes. As free bytes fall into short supply, the operating system begins to replenish the shortage by taking memory from the working sets of less active programs. As a result, you will see the values for one program's working set increase while the values for other programs decrease. If there isn't sufficient memory on the system to satisfy the requirements of all active programs, paging occurs and program performance suffers. For information about monitoring paging activity, see Checking for excessive paging.

Bb742517.srv1318(en-us,TechNet.10).gif

You can expand sample reports and charts to include more programs and more counters. To understand system activity, watch these and other counter values as you change system activity levels.

For information about how you can monitor processor activity or memory usage, see the following topics:

  • Making sure you have enough memory

  • Monitoring processor activity

Making sure you have enough memory

Memory usage is perhaps the most important factor in system performance. One of the ways you may become aware of a memory shortage is if your system is paging frequently. Paging is the process of moving fixed size blocks of code and data from RAM to disk using units called pages in order to free memory for other uses. Although some paging is acceptable because it enables Windows 2000 to use more memory than actually exists, constant paging is a drain on system performance. Reducing paging will significantly improve system responsiveness.

This section describes how you can determine whether your system has an adequate amount of memory and an appropriate configuration for its role, plus how to begin to analyze its paging activity. (Further discussion of paging and related factors appears in Checking for excessive paging.)

Checking your configuration

Before beginning to monitor memory usage on your computer in detail, verify that your computer is properly equipped and configured:

  1. Make sure your system has the recommended amount of memory not only for running Windows 2000 but also for the programs or services you are running. Check the amount of memory on your system against requirements of the operating system and your programs. Consult product documentation for programs or services that you are running to verify that memory is adequate.

    To see the amount of system memory, see To determine the amount of RAM on your computer. To estimate your memory requirements, start with the memory required for the operating system and add the following factors:

    • Number of users multiplied by the average size of the open data files per user

    • Number of programs run on the server computer multiplied by the average size of programs run on the server

    If you are uncertain about the memory requirements of a process that you are running, you can note its working set in System Monitor, shut it down, and observe the corresponding effect on paging activity on your computer. The amount of memory freed by terminating programs is the amount of additional physical RAM needed on the system.

  2. Check that system settings are appropriate based on how you use your computer. When you install Windows 2000 Server, Windows 2000 Setup configures your computer with settings that optimize it for file sharing. However, in some cases, that configuration can cause excessive paging on your computer because it causes the system to maintain a large system-cache working set. If you are not using the server for file sharing or for other programs that specifically require this setting to be enabled, you can turn it off to reduce the amount of paging.

To change these settings, see To configure memory-related settings on your computer.

Monitoring memory counters

To monitor for a low-memory condition, start with the following object counters:

  • Memory\ Available Bytes

  • Memory\ Pages/sec

Available Bytes indicates how many bytes of memory are currently available for use by processes. Pages/sec provides the number of pages that were either retrieved from disk due to hard page faults or written to disk to free space in the working set due to page faults.

Low values for Available Bytes (4 MB or less) may indicate there is an overall shortage of memory on your computer or that a program is not releasing memory. If the value of Pages/sec is 20 or more, you should research the paging activity further. A high rate for Pages/sec may not indicate a memory problem but may instead be the result of running a program that uses a memory-mapped file.

You must monitor Available Bytes along with Pages/sec and Paging File % Usage to determine whether this is the case. If you are reading a noncached memory-mapped file, you should also see normal or low cache activity. For more information, see Checking for excessive paging.

If you suspect a memory leak, monitor Memory\Available Bytes and Memory\ Committed Bytes to observe memory behavior and monitor Process\ Private Bytes, Process\ Working Set, and Process\ Handle Count for processes you think may be leaking memory. Also monitor Memory\ Pool Nonpaged Bytes, Memory\ Pool Nonpaged Allocs, and Process(process_name)\ Pool Nonpaged Bytes if you suspect that a kernel-mode process is causing the leak.

Checking for excessive paging

Because excessive paging can make substantial use of the hard disk, it is possible to confuse a memory shortage that causes paging with a disk bottleneck that results in paging. As a result, when you investigate the causes of paging, where a memory shortage is not apparent, make sure to track disk usage counters such as the following along with memory counters:

  • Physical Disk\ % Disk Time

  • Physical Disk\ Avg. Disk Queue Length

For example, include Page Reads/sec with % Disk Time and Avg. Disk Queue Length. If a low rate of page-read operations coincides with high values for % Disk Time and Avg. Disk Queue Length, there could be a disk bottleneck. However, if an increase in queue length is not accompanied by a decrease in the pages-read rate, then a memory shortage exists.

To determine the impact of excessive paging on disk activity, multiply the values of the Physical Disk\ Avg. Disk sec/Transfer and Memory\ Pages/sec counters. If the product of these counters exceeds 0.1, paging is taking more than 10 percent of disk access time. If this occurs over a long period, you probably need more memory.

Investigating program activity

Next, check for excessive paging due to programs that are running. If possible, stop the program with the highest working set value and see whether that dramatically changes the paging rate. If you suspect excessive paging, check the Memory\ Pages/sec counter. This counter shows the number of pages that needed to be read from disk because they were not in physical memory. (Notice the difference between this counter and Page Faults/sec, which indicates only that data was not immediately available in the specified working set in memory.)

Checking the paging file size

You have some options for how to manage your paging file for better performance:

  • You can place a paging file on other disk drives. If you have multiple hard disks, splitting up the paging file is a good idea because it will speed up the access time. If you have two hard disks and you split the paging file, both hard disks can be accessing information simultaneously, greatly increasing the throughput. However, if you have two hard disks and one hard disk is faster than the other, it may be more effective to store the paging file only on the faster hard disk. You may need to experiment to arrive at the best configuration for your system.

  • You can increase the size of the paging file. When you start Windows 2000, it automatically creates a paging file (Pagefile.sys) on the disk where you installed the operating system. Windows 2000 uses the paging file to provide virtual memory. The recommended size for the paging file is equivalent to 1.5 times the amount of RAM available on your system. However, the size of the file also depends on the amount of free space available on your hard disk when the file is created. You can find out how large your system's paging file is by looking at the file size shown for Pagefile.sys in Windows Explorer.

    Assuming you are not already short of disk space, you can increase the size of the paging file. If your users tend to run several programs simultaneously, they might find that increasing the size of the paging file will enable programs to start faster.

    Although you can reset both the initial and the maximum sizes for the paging file, it is more efficient to expand initial paging file size, rather than force the operating system to allocate more paging file space as programs start, which fragments the disk.

    If the paging file reaches its maximum size, a warning is displayed and the system may halt. To see whether your paging file is approaching its upper limit before it reaches the upper limit, check the actual file size and compare it to the maximum paging file size setting in the System utility in Control Panel. If these two numbers are close in value, consider increasing initial paging file size or running fewer programs.

    Paging file counters offer another way to see whether the size of the Pagefile.sys file is appropriate:

    • Paging File\ % Usage

    • Paging File\ % Usage Peak (bytes)

    If the % Usage Peak value approaches the maximum paging file setting, or if % Usage nears 100 percent, consider increasing the initial file size.

If multiple paging files are spread across multiple disk drives, the path name of each file appears as an instance of the Paging File object type. You can either add a counter for each paging file or select the _Total instance to look at combined usage data for all your paging files.

Monitoring processor activity

Monitoring the Processor and System object counters provides valuable information about the utilization of your processors and helps you determine whether or not a bottleneck exists. You will want to include the following:

  • Processor\ % Processor Time for processor usage.

    Optionally, you can also monitor Processor\ % User Time and % Privileged Time along with % Processor Time for more detail.

  • System\ Processor Queue Length for bottleneck detection.

Observing processor usage values

To gauge the activity of the processor, check the Processor\ % Processor Time counter. This counter shows the percentage of elapsed time that a processor is busy executing a nonidle thread.

When you examine processor usage, consider the role of the computer and the type of work being done. Depending on what the computer is doing, high processor values could mean either that the system is efficiently handling a heavy workload or that it is struggling to keep up. For example, if you are monitoring a user's computer, and that computer is used for computation, the computational program might easily use 100 percent of the processor's time. Even if this causes the performance of other applications on that computer to suffer, this can be addressed by changing workload.

On the other hand, values around 100 percent on a server computer that processes many client requests indicate that processes are queuing up, waiting for processor time, and causing a bottleneck. Such a sustained high level of processor usage is unacceptable for a server.

Investigating processor bottlenecks

A processor bottleneck develops when threads of a process require more processor cycles than are available. Long processor queues can build up and system response suffers. The two most common causes of processor bottlenecks are CPU-bound programs and drivers or subsystem components (typically disk or network components) that generate excessive interrupts.

To determine whether a processor bottleneck exists due to high levels of demand for processor time, check the value of the System\ Processor Queue Length counter. A queue of two or more items indicates a bottleneck. If more than a few program processes are contending for most of the processor's time, installing a faster processor will improve throughput. An additional processor can help if you are running multithreaded processes, but be aware that scaling to additional processors may have limited benefits. See Monitoring multiprocessor systems for more information.

In addition, the Server Work Queues\ Queue Length counter, which tracks the current length of the server work queue for the computer, can reveal processor bottlenecks. A sustained queue length greater than 4 indicates possible processor congestion. This counter is a value at a specific time, not an average over time.

To determine whether interrupt activity is causing a bottleneck, watch the values of the Processor\ Interrupts/sec counter, which measures the rate of service requests from input/output (I/O) devices. If this counter value increases dramatically without a corresponding increase in system activity, it can indicate a hardware problem.

You can also monitor Processor\ % Interrupt Time for an indirect indicator of the activity of disk drivers, network adapters, and other devices that generate interrupts.

Note: To detect hardware problems that may affect processor performance, such as IRQ conflicts, watch the values of System\ File Control Bytes/second.

Monitoring multiprocessor systems

To observe the efficiency of a multiprocessor computer, use the following additional counters.

Counter

Description

Process\ % Processor Time

The sum of processor time on each processor for all threads of the process.

Processor(_Total)\ % Processor Time

A measure of processor activity for all processors in the computer.
This counter sums the average nonidle time of all processors during the sample interval and divides it by the number of processors.
For example, if all processors are busy for half of the sample interval, on average, it displays 50%. It also displays 50% if half of the processors are busy for the entire interval, and the others are idle.

Thread\ % Processor Time

The amount of processor time for a thread.

Managing processor affinity on multiprocessor systems

If you want to assign a particular process or program to a single processor to improve its performance at the expense of other processes, in Task Manager, click Set Affinity. This option is available only on multiprocessor systems.

Controlling processor affinity can improve performance by reducing the number of processor cache flushes as threads move from one processor to another. This might be a good option for dedicated file servers. However, be aware that dedicating a program to a particular processor may not allow other program threads to migrate to the least-busy processor.

You may also want to control processor affinity for interrupts generated by disk or network adapters. A tool provided on the Windows 2000 Resource Kit companion disc enables you to manage interrupts in this way.

Monitoring disk activity

Disk-usage statistics help you balance the workload of network servers. System Monitor provides physical disk counters for troubleshooting, capacity planning, and for measuring activity on a physical volume.

At a minimum you should monitor the following counters:

  • Physical Disk\ Disk Reads/sec and Disk Writes/sec

  • Physical Disk\ Current Disk Queue Length

  • Physical Disk\ % Disk Time

  • LogicalDisk\ % Free Space

When testing disk performance, log performance data to another disk or computer so that it does not interfere with the disk you are testing.

Additional counters you may want to observe include Physical Disk\ Avg. Disk sec/Transfer, Avg. Disk Bytes/Transfer, and Disk Bytes/sec.

The Avg. Disk sec/Transfer counter reflects how much time a disk takes to fulfill requests. A high value might indicate that the disk controller is continually retrying the disk because of failures. These misses increase average disk transfer time. For most disks, high average disk transfer times correspond to values greater than 0.3 seconds.

You can also check the value of Avg. Disk Bytes/Transfer. A value greater than 20 KB indicates that the disk drive is generally performing well; low values result if an application is accessing a disk inefficiently. For example, applications that access a disk at random raise Avg. Disk sec/Transfer times because random transfers require increased seek time.

Disk Bytes/sec gives you the throughput rate of your disk system.

Because disk counters can cause a modest increase in disk access time, Windows 2000 does not automatically activate the counters at system startup.

Note: Unlike physical-disk counter data, logical-disk counter data is not collected by the operating system by default. To obtain performance counter data for logical drives or storage volumes, you must type diskperf -yv at the command prompt. This causes the disk performance statistics driver used for collecting disk performance data to report data for logical drives or storage volumes. By default, the operating system uses the diskperf -yd command to obtain physical drive data. For more information about using the diskperf command, type diskperf -? at the command prompt.

Determining workload balance

To balance loads on network servers, you need to know how busy the server disk drives are. Use the Physical Disk\ % Disk Time counter, which indicates the percentage of time a drive is active. If % Disk Time is high (over 90 percent), check the Physical Disk\ Current Disk Queue Length counter to see how many system requests are waiting for disk access. The number of waiting I/O requests should be sustained at no more than 1.5 to 2 times the number of spindles making up the physical disk.

Most disks have one spindle, although Redundant Array of Inexpensive Disks (RAID) devices usually have more. A hardware RAID device appears as one physical disk in System Monitor; RAID devices created through software appear as multiple drives (instances). You can either monitor the Physical Disk counters for each physical drive (other than RAID), or you can use the _Total instance to monitor data for all the computer's drives.

Use the values of the Current Disk Queue Length and % Disk Time counters to detect bottlenecks with the disk subsystem. If Current Disk Queue Length and % Disk Time values are consistently high, consider upgrading the disk drive or moving some files to an additional disk or server.

Notes:

  • The LogicalDisk object counters have been removed. The system maps physical drives to logical drives using the same instance name. Therefore, if you have a dynamic volume that consists of multiple physical disks, instances might appear as "Disk 0 C:," "Disk 1 C:," and "Disk 2 D:," where C: is made up of physical drives 0 and 1. If you have two logical partitions on a disk, the instance appears as "0 C: D:."

  • For hardware-enabled stripe sets, per-disk statistics are not available. You can obtain this data only when monitoring stripe sets enabled in software.

  • If you are using a RAID device, the % Disk Time counter can indicate a value greater than 100 percent. If it does, use the Avg. Disk Queue Length counter to determine how many system requests on average are waiting for disk access.

Monitoring network activity

Network monitoring typically consists of observing server resource utilization and measuring overall network traffic. With System Monitor you can handle both of these activities, although for in-depth traffic analysis, you should use Network Monitor.

Start by tracking the counters that are described in the topic Setting up a monitoring configuration to observe resource usage on your server. To concentrate on network-related resource usage, add the counters that correspond to the various layers of your network configuration. Abnormal network counter values often indicate problems with a server's memory, processor, or disks. For that reason, the best approach to monitoring a server is to watch network counters in conjunction with Processor\ % Processor Time, PhysicalDisk\ % Disk Time, and Memory\ Pages/sec.

For example, if a dramatic increase in Pages/sec is accompanied by a decrease in Bytes Total/sec handled by a server, the computer is probably running short of physical memory for network operations. Most network resources, including network adapters and protocol software, use nonpaged memory. If a computer is paging excessively, it could be because most of its physical memory has been allocated to network activities, leaving a small amount of memory for processes that use paged memory. To verify this situation, check the computer's system event log for entries indicating that it has run out of paged or nonpaged memory.

Note: The operating system automatically sets a default limit for allocable nonpaged pool memory. This default value is approximately 80 percent of installed memory. If the system reaches this limit as a result of network activity, problems can result. To change this limit, modify the registry under:

HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer \MaxNonpagedMemoryUsage

For information about modifying the registry, see Registry Editor Help.

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

If you enable Network Monitor, you can use network-related objects with System Monitor to analyze overall network performance. For information on monitoring overall network traffic, see Monitoring overall network traffic.

Observing throughput across network layers

Investigating network performance includes monitoring activity at different network layers:

  • Data-link layer. This includes the network adapter. Use the Network Interface object counters:

    • Bytes total/sec

    • Bytes sent/sec

    • Bytes received/sec.

  • Network layer. Use the IP object counters:

    • Datagrams Forwarded/sec

    • Datagrams Received/sec

    • Datagrams/sec

    • Datagrams Sent/sec.

  • Transport layer. Varies with network protocol in use. For TCP/IP, use the TCP object counters:

    • Segments Received/sec

    • Segments Retransmitted/sec

    • Segments/sec

    • Segments Sent/sec.

  • If the retransmission rate is high, there may be a hardware problem.

  • The ICMP and UDP object counters are also provided and are useful for more extensive monitoring of TCP/IP network transmissions. The ICMP performance object consists of counters that measure the rates at which Internet Control Message Protocol (ICMP) messages are sent and received by using the ICMP protocol. It also includes counters that monitor ICMP protocol errors.The UDP performance object consists of counters that measure the rates at which User Data Protocol (UDP) datagrams are sent and received using the UDP. It includes counters that monitor UDP errors.

  • If you are using the NetBEUI protocol, use the following counters:

    • NetBEUI\ Frame Bytes Received/sec

    • NetBEUI\ Frames Received/sec

    • NetBEUI\ Frames Rejected/sec

    • NetBEUI Resource\ Times Exhausted

  • If you are using the NWLink protocol, three objects are available: NWLink IPX and NWLink NetBIOS for computers communicating over the IPX protocol; and NWLink SPX for computers connecting over the SPX protocol. Note that frame-related counters for these objects report only zeroes.

  • Presentation/program layer. Use the Server object counters if you are monitoring a server, or the Redirector object counters if you are monitoring a user's client computer. (Some program-layer processes, such as Web servers, may have their own object counters, which you would use for monitoring transmissions across this layer.)

    The Redirector object counters collect data about requests transmitted by the Workstation service; the Server object counters collect data about requests received and interpreted by the Server service.

    At a minimum, include the Bytes total/sec counter for both the Redirector object (for client computers that you monitor) and the Server object (for server computers).

    Each of these objects provides several other counters you may want to monitor if you suspect problems with either the Workstation or Server services:

    • Redirector\ Current Commands

    • Redirector\ Network Errors/sec

    • Redirector\ Reads Denied/sec

    • Redirector\ Writes Denied/sec

    • Redirector\ Server Sessions Hung

    • Server\ Sessions Errored Out

    • Server\ Work Item Shortages

    • Server\ Pool Paged Peak

    • Server\ Nonpaged Pool Failures

    If the Work Item Shortages counter value is increasing, consider changing the registry values InitWorkItems or MaxWorkItems under HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanServer.

    The Sessions Errored Out counter reports automatic disconnections along with errored-out sessions. To get a more accurate value for errored-out sessions, obtain the value for Sessions Timed Out and reduce the Sessions Errored Out value by that amount. See Resources for more information.

Monitoring overall network traffic

If network traffic exceeds local area network (LAN) capacity, performance typically suffers across the network. To prevent this situation, it is important to monitor network-wide traffic levels, particularly on larger networks with bridges and routers, using the Network Segment object. When monitoring network traffic, three Network Segment object counters are of special interest.

Counter

Description

Network Segment\ Broadcast frames received/second

Can be used to establish a baseline if monitored over time. Large variations from the baseline can be investigated to determine the cause of the problem. Because each computer processes every broadcast, high broadcast levels mean lower performance.

Network Segment\ % Network utilization

Indicates how close the network is to full capacity. The threshold depends on your network infrastructure and topology. If the value of the counter is above 30 to 40 percent, collisions can cause problems.

Network Segment\ Total frames received/second

Indicates when bridges and routers might be flooded.

To analyze these statistics for your network segment, install Network Monitor. For information about Network Monitor, see Network Monitor Help.

For instructions on installing the Network Monitor driver that provides the counters for monitoring network utilization, see Enabling Network Segment counters.

Monitoring Windows 2000 services

Many services available under Windows 2000 Server provide their own performance objects and counters.

  • Monitoring the Browser service

  • Monitoring DHCP

  • Monitoring directory service activity

  • Monitoring Distributed Transaction Coordinator

  • Monitoring DNS

  • Monitoring Fax Service

  • Monitoring the File Replication service

  • Monitoring Indexing Service

  • Monitoring Internet Authentication Service

  • Monitoring Internet Information Services

  • Monitoring the Phone Book service

  • Monitoring QoS Admission Control

  • Monitoring SMTP

  • Monitoring telephony counters

  • Monitoring WINS

Monitoring the Browser service

If your organization is maintaining domains under Windows NT Server 4.0, use the following counters for monitoring the Browser service:

  • Browser\ Mailslot Allocations Failed

  • Browser\ Mailslot Opens Failed/sec

  • Browser\ Mailslot Receives Failed

  • Browser\ Mailslot Writes Failed

  • Browser\ Missed Mailslot Datagrams

  • Browser\ Missed Server Announcements

  • Browser\ Missed Server List Requests

  • Browser\ Server Announce Allocations Failed/Sec

Monitoring directory service activity

The NTDS object provides statistics about the activity of the directory service. Some important counters to monitor using this object include the following:

  • DRA Inbound Object Updates Remaining in Packet

  • DRA Pending Replication Synchronizations

  • LDAP Client Sessions

  • LDAP Bind Time

Monitoring DHCP

The DHCP Server performance object provides counters for monitoring activity of the DHCP Server service. For more information about using these counters, see DHCP Concepts.

Monitoring Distributed Transaction Coordinator

Tbe Distributed Transaction Coordinator performance object provides statistics about the activity of the Distributed Transaction Coordinator, a part of Component Services that coordinates external, or two-phase transactions. See Component Services for more information.

Monitoring QoS Admission Control

QoS Admission Control installs the ACS/RSVP performance object for monitoring purposes. Network administrators should monitor the counters provided by this object when QoS Admission Control is enabled.

Monitoring DNS

The DNS performance object provides statistics about the activity of the DNS service. For more information, see Using System Monitor.

Monitoring Fax Service

The Fax Service object tracks activity of Fax Service while the service is running. It is recommended that you use the counters in conjunction with event log data about fax events to assess service performance.

The following counters can indicate a system problem, such as installation of the wrong modem driver, which prevents the fax from being sent or received:

  • Inbound Failed Receptions. This counter indicates the number of faxes that were not received. This would be a call that was answered without a fax being received.

  • Outbound Failed Connections. This counter indicates the number of faxes that were not sent, for example, because there was no dial tone, no answer, a busy line, or another unknown error.

  • Outbound Failed Transmissions. This counter indicates the number of faxes that could not be sent.

If you see values for these counters, check the event log for details; no dial tone, no answer, or busy lines will be noted. An unknown error could indicate a system problem. In this case, check the phone line for line noise and check the sending and receiving fax devices for an incorrect modem driver.

Monitoring the File Replication service

The File Replication service provides the FileReplicaConn and FileReplicaSet objects to provide information about activity of the File Replication service.

The FileReplicaConn object displays performance statistics of the REPLICACONN object that defines replica connections to DFS roots.

The FileReplicaSet object displays performance statistics of the REPLICASET object that defines a replica set (one or more replicas, shared volumes, or directories that store duplicates of the contents of an original share). The object reports statistics for the computer that constitutes the original share. For example, in a bidirectional ring topology of three computers A, B, and C, where computer A and computer C both replicate from computer B, the FileReplicaSet counters would provide data for computer B.

Monitoring Indexing Service

Indexing Service provides three different performance objects. These are:

  • HTTP Indexing Service object. The counters for this object report statistics regarding queries run by Indexing Service.

  • Indexing Service object. The counters for this object report statistics pertaining to the creation of indexes and the merging of indexes by Indexing Service.

  • Indexing Service Filter object. The counters for this object report filtering activity of Indexing Service.

Use the HTTP Indexing Service\Total requests rejected counter to monitor Indexing Service for server bottlenecks.

For more information, see Indexing Service Concepts.

Monitoring Internet Authentication Service

The following objects report activity of Internet Authentication Service (IAS):

  • IAS Accounting Clients

  • IAS Accounting Server

  • IAS Authentication Clients

  • IAS Authentication Server

Monitoring Internet Information Services

Internet Information Services provides the following counters for monitoring service activity:

  • FTP Service object

  • Internet Information Services Global object

  • Web Service object

  • Active Server Pages object

FTP Service object counters

The FTP Service object counters show data about the anonymous and nonanonymous connections to the File Transfer Protocol (FTP) Server application. The counters can be reported on a per-site basis.

Internet Information Services Global object

The Internet Information Services Global object contains counters that report on bandwidth throttling and on usage of the Internet Information Services (IIS) Object Cache, a cache shared by the IIS services.

Bandwidth throttling is a feature of Internet Information Services that limits the bandwidth used by the IIS services to a value set by an administrator. If the bandwidth used by the IIS services approaches or exceeds this limit, bandwidth throttling delays or rejects IIS service requests until more bandwidth becomes available.

The IIS Object Cache stores frequently used objects and objects that would slow performance if they were retrieved repeatedly. The counters provided report on the size and content of the IIS Object Cache as well as its effectiveness, such as cache hits and misses.

Web Service object

The Web Service object provides counters that show data about the anonymous and nonanonymous connections to the Hypertext Transport Protocol (HTTP) service application and HTTP requests, listed by request method, that have been handled since the Web service was started.

Active Server Pages object

The Active Server Pages object is provided for monitoring applications running on your Web server that use Active Server Pages. To monitor requests processed by calls to Common Gateway Interface (CGI) applications or Internet Server Application Programming Interface (ISAPI) extensions, use counters on the Web Service object.

Monitoring the Phone Book service

The PBServer Monitor performance object monitors activity on the phone book server. The Total Hits/Sec counter is useful in determining the amount of traffic on the phone book server.

Monitoring SMTP

The SMTP Server performance object monitors message activity generated by the Simple Mail Transport Protocol (SMTP) service.

Monitoring telephony counters

If you are using a computer as a telephony server, such as a remote access server, or if you are using a non-Windows driver to enable Windows 2000 Server to emulate a small PBX or telephone switch, monitor the following counters and research server activity if these values are lower than expected:

  • Telephony\ Incoming calls/sec

  • Telephony\ Outgoing calls/sec

  • Telephony\ Total number of calls

Monitoring WINS

WINS installs the WINS Server performance object for monitoring service activity. The WINS Server performance counters are cleared each time you start and stop the service.

For more information about WINS performance counters, see WINS performance monitoring reference.

Monitoring legacy programs

This topic describes how to monitor a 16-bit Windows-based program or an MS-DOS-based program.

In Windows 2000, 16-bit Windows-based programs run as separate threads in a multithreaded process called Windows Virtual DOS Machine (NTVDM). The NTVDM process simulates a 16-bit Windows environment. An MS-DOS-based program runs in its own NTVDM process.

You can monitor a 16-bit program or an MS-DOS-based program running on your computer with System Monitor by monitoring the ntvdm instance of the Process performance object. Note that 16-bit programs running in an NTVDM appear only if they are started in a separate memory space.

If you find that your 16-bit programs are not performing well under Windows 2000, you can access some of the program's properties by right-clicking the name of the program in Windows Explorer and configuring the properties as follows:

  • If the program is in a window and the display performance is slow, on the Screen tab, click Full-Screen.

  • If the program is in a window and seems to pause periodically, click the Misc tab, and set the Idle Sensitivity slider to Low.

It is possible to turn off Compatible Timer Hardware Emulation for the program if performance does not improve by changing the previously described settings. To do so, right-click _Default.pif or the program name, point to Program, and click Windows NT. In the dialog box that appears, clear the Compatible Timer Hardware Emulation check box. This change typically causes a decrease in performance and should be made only if other efforts fail.

Evaluating trends and planning for additional resources

The data you accumulate through daily monitoring provides the information you need for trend analysis and capacity planning. Even if your computer is operating satisfactorily today, it is important to plan for changes in demand by users you may add or by technologies and programs you may deploy. Unanticipated network growth can result in overused resources and poor levels of network service. By characterizing system performance over time, you can justify the need for new resources before the need becomes critical.

Using the data collected from the counters described in Setting up a monitoring configuration, observe how the values for each component change over time. These changes may indicate a need to increase or upgrade components as described in Tuning and upgrade tips by component.

Resources

For a more detailed discussion of performance data and its analysis, see the Windows 2000 Resource Kit.

For information about optimizing programs or writing performance counters for programs, see the Microsoft Web site (http://msdn.microsoft.com/).

For more information about tuning network and service parameters in the registry to optimize performance, you can search for updated information at the Microsoft Web site. See Updated technical information.

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

For information about including performance-monitoring functionality in Microsoft Office or Visual Basic applications, see Developing programs for performance monitoring.

Developing programs for performance monitoring

In addition to its wide variety of options that you can configure, System Monitor offers users the ability to extend monitoring capabilities programmatically. Because System Monitor is available as an ActiveX control (Sysmon.ocx in the systemroot\System32 folder) that supports Visual Basic Automation, developers can incorporate the System Monitor control's capabilities into their programs. The simplest way to take advantage of this extensibility is to embed the System Monitor control in a Microsoft Office application such as Microsoft Word. In this manner, you can include System Monitor graphs in reports and print them. For information about how to do this, see To insert the System Monitor control in a Microsoft Word document.

When you have placed the control in a program, you can access the properties, events, and methods by running the Visual Basic Editor from the container program or by running Visual Basic directly.

For information about programming the System Monitor control, see the Microsoft Web site (http://msdn.microsoft.com/).

In addition to programming the System Monitor control, developers can also write new performance counters for programs that do not include them. For information about building performance counters into programs, see the Windows 2000 Resource Kit.

Troubleshooting

What problem are you having?

Counter values consistently equal zero.

Cause: The process being monitored has stopped so there is no data for the process in the performance tools.

Solution: If you stopped the process manually, restart it to see the process in System Monitor. Otherwise, check Event Viewer for concurrent entries. You may find an error associated with this process.

Cause: The counter DLL was disabled after you selected the corresponding counters in a log or display. The performance tools will not detect that the counter was removed or disabled but will report the counter data as zeroes.

Solution: Enable the corresponding counter DLL.

Cause: You lack permissions on the computer being monitored. If you don't have appropriate permissions to monitor the computer, an error message will be displayed when you attempt to select the counter but the counter will still appear in the histogram or graph legend without any data or any graph line.

Solution: An administrator must ensure that your user account has permissions to use the performance tools.

System Monitor shows gaps in its line graphs.

Cause: This could be because data collection was subordinated to higher priority processing activity on a system with a heavy load. When the system has adequate resources to continue with data collection, the graphing will resume as usual. A message appears describing this.

Solution: Reduce the performance overhead of system monitoring.

See also: Best practices

Values recorded in a log don't appear in the graph view.

Cause: The graph is limited to 100 samples.

Solution: Reduce the selected time range.

See also: To use logged data

Objects, counters, or instances seem to be missing or invalid.

Cause: Test routines that run when you start Performance have detected a problem with installed counters and have disabled the counters automatically to prevent the counters from slowing the system. Disabled objects and counters do not appear in the Add Counters dialog box.

Solution: Using Registry Editor, change the value under HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services Service_name \Performance\Disable Performance Counters from 1 for disable to 0 for enable. Note that counters that have been disabled after initial testing are likely to contain errors and may cause system problems. For information about debugging problems with counter DLLs, see the Microsoft Web site (http://msdn.microsoft.com/).

Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Cause: The process that starts the object counters is not started or installed.

Solution: Use Task Manager to verify that the process is running. If so, use Exctrlst.exe on the Windows 2000 Resource Kit companion CD to verify that the counter DLL is enabled.

Cause: The counters haven't been enabled (such as with the Network Segment object counters).

Solution: Make sure that the service or feature that provides the counter has been installed or configured.

Cause: The DLL that installs the counters is generating errors. An example is if the counter does not handle localization functions correctly.

Solution: Check Event Viewer to see whether the counter DLL or the Performance Data Helper reported any errors. If necessary, you can disable counter DLLs that are causing errors by using Exctrlst.exe on the Windows 2000 Resource Kit companion CD.

Cause: You are trying to monitor a 16-bit or MS-DOS application. Only 32-bit processes appear in the instances list. Active 16-bit processes appear as threads running in a Windows Virtual DOS Machine (NTVDM) process.

Solution: Monitor the application via the NTVDM process.

See also: Monitoring legacy programs

Cause: The instance you want to monitor is not currently active. If you are configuring System Monitor to collect real-time data, you can only select active instances for data collection. (If you are viewing logged data, you can select inactive instances for which the log contains data.) If you select the process and it stops after you've selected it, it will continue to appear in the list box but the reported data will be zeroes.

Solution: Make sure the instance is active.

You sometimes see an extremely high value for one instance and not the other when you are monitoring processes of the same name.

Cause: The performance tools sometimes misrepresent data for separate instances of processes with the same name by reporting the combined values of the instances as the value of a single instance.

Solution: Use the instance index and track the Process\ ID Process and Process\ Creating Process ID counters.

When monitoring several threads, if one thread stops its data appears to be reported for another.

Cause: This is because of the way threads are numbered. For example, assume you are monitoring three threads, numbered 0, 1, and 2. If thread 0 stops, the remaining threads get renumbered. The original thread 0 is now gone and the original thread 1 is renamed to 0. As a result data for the stopped thread 0 could be reported along with data for the running thread 1 because old thread 1 is now old thread 0.

Solution: Use the instance index with Thread ID to track these threads.

An error message is displayed if you try to export log data to Microsoft Excel while the Performance Logs and Alerts service is actively collecting data to that log.

Cause: Microsoft Excel requires exclusive access to the log file. Other programs are not known to require this exclusive access; therefore, in general, you can work with data from a log file while the service is collecting data to that file.

Solution: Stop the Performance Logs and Alerts service before trying to use it with Microsoft Excel.

I lost my connection to a remote computer from which I was logging data and I cannot resume logging.

Cause: Logging data from a remote computer requires the use of Remote Registry Service. If the service stops due to failure, by default the system restarts it automatically only once.

Solution: If Remote Registry Service stops more than once, you must restart the service manually on the second and any subsequent failures. To change this default behavior, use Computer Management or Services (on the Administrative Tools menu) to modify the properties for Remote Registry Service.

Help for System Monitor does not appear in MMC Help; only Performance Logs and Alerts is displayed.

Cause: Because System Monitor is designed as an ActiveX control, its behavior differs from other MMC snap-ins. For example, System Monitor Help is not available when you right-click System Monitor and then click Help on the shortcut menu, or when you click Help Topics on the Help menu.

Solution: Click the Help button on the System Monitor toolbar.

Cause: Because System Monitor is designed as an ActiveX control, its behavior differs from other MMC snap-ins. For example, System Monitor Help is not available when you right-click System Monitor and then click Help on the shortcut menu, or when you click Help Topics on the Help menu.

Solution: Click the Help button on the System Monitor toolbar.

Disk Defragmenter

Disk Defragmenter is a system utility for locating and consolidating fragmented files and folders on local volumes.

  • Before defragmenting files or folders, see Checklist: Defragmenting disks.

  • For a list of best practices for Disk Defragmenter, see Best practices.

  • For help with specific tasks, see How to.

  • For general background information, see Concepts.

  • For problem-solving instructions, see Troubleshooting.

Checklist: Defragmenting Disks

Step

Reference

I

Review key concepts.

Disk Defragmenter overview;
Best practices

I

Confirm that you are a member of the Administrators group.

Groups

I

Analyze the volume.

To analyze a volume

I

Defragment the volume.

To defragment a volume

I

View the report.

Viewing reports

Best Practices

  • Analyzing before defragmenting

    Analyze volumes before defragmenting them. This will tell you if you need to take the time to defragment the volume.

  • Analyzing after large file deletion

    Volumes might become excessively fragmented when users delete a large number of files or folders, so be sure to analyze volumes after this happens. Generally, volumes on busy file servers should be defragmented more often than those on single-user workstations.

  • Defragmenting during low-usage periods

    Defragment file server volumes during low-volume usage periods to minimize the effect that the defragmentation process has on file server performance. The time that Disk Defragmenter takes to defragment a volume depends on several factors, including the size of the volume, the number of files on the volume, the number of fragmented files, and available system resources.

How To...

  • Analyze a volume

  • Defragment a volume

To analyze a volume

  1. Open Disk Defragmenter.

  2. Click the volume that you want to check for fragmented files and folders, and then click Analyze.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

  • To open Disk Defragmenter, click Start, point to Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.

  • After the analysis is complete, a dialog box appears and tells you if you need to defragment the volume.

  • To interrupt or temporarily stop analyzing a volume, click Stop or Pause, respectively.

  • For more information about the files and folders that were analyzed, click View Report.

  • You can defragment local file system volumes only, and you can only execute one Disk Defragmenter console at a time.

To defragment a volume

  1. Open Disk Defragmenter.

  2. Click the volume that you want to defragment, and then click Defragment.

Notes:

  • You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

  • To open Disk Defragmenter, click Start, point to Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.

  • You should analyze volumes before defragmenting them. Without analyzing them first, you cannot tell whether you need to take the time to defragment volumes.

  • The time that Disk Defragmenter takes to defragment a volume depends on several factors, including the size of the volume, the number of files in the volume, the percentage of fragmentation in the volume, and available system resources.

  • To interrupt or temporarily stop defragmenting a volume, click Stop or Pause, respectively.

  • You can defragment local file system volumes only, and you can only execute one Disk Defragmenter console at a time.

Concepts

This section covers:

  • Disk Defragmenter overview

  • Understanding Disk Defragmenter

  • Using Disk Defragmenter

  • Resources

Disk Defragmenter overview

Disk Defragmenter locates fragmented files and folders on local volumes.

When a volume contains a lot of fragmented files and folders, Windows takes longer to gain access to them because it requires several additional disk drive reads to collect the various pieces. Creating new files and folders also takes longer because the free space available on the volume is scattered. Windows must then save new files and folders to various locations on the volume.

Disk Defragmenter moves the pieces of each file or folder to one location on the volume, so that each occupies a single, contiguous space on the disk drive. As a result, your system can gain access to your files and folders and save new ones more efficiently. By consolidating your files and folders, Disk Defragmenter also consolidates your free space, making it less likely that new files will be fragmented.

The process of finding and consolidating fragmented files and folders is called defragmentation. The amount of time that defragmentation takes depends on several factors, including the size of the volume, the number of files on the volume, the amount of fragmentation, and the available local system resources. You can find all of the fragmented files and folders before defragmenting them by analyzing the volume first. You can then see how many fragmented files and folders are saved on the volume and decide whether or not you would benefit from defragmenting the volume.

Disk Defragmenter can defragment volumes that are formatted with the file allocation table (FAT) file system, FAT32, and the NTFS file system.

Understanding Disk Defragmenter

This section covers:

  • Why volumes become fragmented

  • Why files are not moved to the beginning of NTFS-formatted volumes

  • Why the graphic and text views do not agree

  • Consolidating free space on a volume

Why volumes become fragmented

Volumes become fragmented as users create and delete files and folders, install new software, or download files from the Internet. Computers do not necessarily save an entire file or folder in a single space; they save them in the first available space on a volume. After a large portion of a volume has been used for file and folder storage, most of the new files are saved in pieces across the volume. When you delete files or folders, the empty spaces left behind fill in randomly as you store new ones.

The more fragmented the volume is, the slower the computer's file input/output performance will be.

Why files are not moved to the beginning of NTFS-formatted volumes

On NTFS-formatted volumes, Windows reserves a portion of the free space for a system file called the master file table (MFT). The MFT is where Windows keeps all the information necessary to retrieve files from the volume. Windows stores part of the MFT at the beginning of the volume. Because Windows reserves the MFT for exclusive use, Disk Defragmenter does not move files to the beginning of volumes.

Why the graphic and text views do not agree

After you analyze a volume, you can view the results of the process in a colored horizontal bar graph called the analysis display or in a text-based report called the analysis report. If you compare the results in the display with those of the report, you might find that they disagree somewhat. The cause of this disagreement is the relatively low resolution of the analysis display.

Because the analysis display is not large enough to depict each disk cluster in a volume as a vertical colored bar, each bar on the analysis display must represent a grouping of dozens or even hundreds of clusters, depending on the size of the volume and the cluster. And, because fragmented files, contiguous files, system files, and free space can all reside in the same group of clusters, the color of each vertical bar is determined by these rules in the following order:

  1. If any of the clusters in the group is part of a system file, the color is green (system file).

  2. If any of the clusters in the group is part of a fragmented file, the color is red (fragmented file).

  3. If the clusters in the group contain only free space and nonfragmented clusters, the majority wins (>50% free = white, >50% contiguous files = blue).

It is possible to have a solid red analysis display even if the analysis report shows less than 1 percent of the clusters belonging to fragmented files. Conversely, the analysis report could show 20 or 30 percent of the disk free while the analysis display shows no white space at all. This applies to the defragmentation display and the defragmentation report as well.

Use the analysis display only for a general idea of the fragmentation of a volume. For precise, numerical figures, use the analysis report.

Consolidating free space on a volume

Disk Defragmenter does not consolidate all of the free space on a volume. Although free space fragmented into hundreds of pieces does adversely affect performance, free space split into a few pieces does not. Having all of the free space consolidated in a single location provides very little performance benefit.

Windows system files such as the paging file and master file table (MFT) are opened for exclusive use by Windows at all times; therefore, Disk Defragmenter cannot gain access to these files to defragment them.

For information on how to defragment a volume, see To analyze a volume and To defragment a volume.

Several factors can prevent the free space on a disk partition from being defragmented:

  • A paging file is fragmented.

  • The disk partition contains a large number of directories.

  • On NTFS file system partitions, a portion of the free space on a disk partition is reserved by Windows for the MFT.

Using Disk Defragmenter

This section covers:

  • The Disk Defragmenter window

  • How often to defragment a volume

  • Viewing reports

Disk Defragmenter window

Disk Defragmenter is split into two main areas. The upper portion lists the volumes on the local computer. The lower portion displays a graphic representation of how fragmented the volume is. The colors of the display indicate the condition of the volume:

  • Red areas show fragmented files.

  • Blue areas show contiguous (nonfragmented) files.

  • White areas show free space on the volume.

  • Green areas show system files, which cannot be moved by Disk Defragmenter. These system files are not part of the Windows operating system but belong instead to the NTFS file system. The green areas appear only on NTFS-formatted volumes.

By comparing the Analysis Display band to the Defragmentation Display band, you can see the improvement in your volume after defragmenting it.

How often to defragment a volume

Because volumes can become highly fragmented when users delete a large number of files or folders from them, be sure to analyze volumes after this happens. Generally, volumes on busy file servers should be defragmented more often than those on single-user workstations.

You can analyze volumes before you decide whether to defragment them. After analyzing a volume, a dialog box tells you the percentage of fragmented files and folders on the volume and recommends a course of action. Analyze volumes regularly and defragment them only when Disk Defragmenter recommends it.

Viewing reports

After analyzing or defragmenting a volume, you can view a report of the process just completed.

When you view a report of the analysis process, the Analysis Report dialog box displays detailed information about the volume that was scanned for fragmented files and folders. This information includes the volume size and the amount of free space available, the number of fragmented files and folders (called directories in the report), and the average fragments per file. The dialog box also displays the path and name of the most fragmented files on the volume and the number of pieces, or fragments, those files are in. If these files are ones that you use frequently, the impact on your system performance might be greater than indicated in Average Fragments per File.

The average number of fragments per file is a good index of how fragmented the files on the volume are. The best figure attainable is 1.00, indicating that all files or nearly all files are contiguous. If the average is 1.10, then 10 percent of the files, on average, are in two pieces. 1.20 means 20 percent, 1.30 means 30 percent, and so on. An average of 2.00 means the files average two fragments each.

After the analysis is complete, Disk Defragmenter displays a dialog box that recommends whether or not to defragment the volume.

Resources

  • Executive Software International

  • Windows 2000 Server family at the Microsoft Windows (http://www.microsoft.com/windows ).

  • Microsoft TechNet at the Microsoft TechNet (http://www.microsoft.com/technet ).

  • Microsoft TechNet compact disks.

  • Microsoft support at Updated technical information.

  • Getting Started for Windows 2000 Server.

  • Windows 2000 Server Resource Kit.

  • Windows 2000 Server Registry.

Troubleshooting

  • Problem: Gaining access to resources has become slow.

    Cause: The volumes on your hard disk may have become excessively fragmented, possibly because you have recently deleted a large number of files or folders.

    Solution: Defragment the volumes on your hard disk. For more information, see How often to defragment a volume.

  • Problem: The display and report do not agree.

    Cause: The relatively low resolution of the analysis display.

    Solution: Use the analysis display only for a general idea of the fragmentation of a volume. Use the analysis report for precise, numerical figures. This phenomenon applies to the defragmentation display and the defragmentation report, as well. For more information, see Why the graphic and text views do not agree.

  • Problem: There appear to be system files on volumes other than the system and boot volumes.

    Cause: Master file tables (MFT) and paging files appear as system files in Disk Defragmenter.

    Solution: This is by design because MFTs and paging files cannot be moved and therefore cannot be defragmented. For more information, see Why files are not moved to the beginning of NTFS-formatted volumes.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft