This topic has not yet been rated - Rate this topic

Chapter 8 - Monitoring Performance

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Windows NT Server includes two tools for tracking computer performance:

Performance Monitor enables you to look at resource use for specific components and application processes using charts and reports. With Performance Monitor, you can gauge your computer's efficiency, identify and troubleshoot possible problems (such as unbalanced resource use, insufficient hardware, or poor program design), and plan for additional hardware needs. You can also use alerts to notify you when resource use reaches a specified value.

For comprehensive documentation on monitoring Windows NT Server performance, see the Windows NT Server Resource Kit version 4.0.
Task Manager gives you a quick view of how each application, application component, or system process is using CPU and memory resources, as well as a summary of overall CPU and memory usage.

To run Task Manager, right-click the toolbar, and then click Task Manager. For more information on using Task Manager, see Task Manager Help.

Conceptual Overview

Performance Monitor uses a series of counters that track data, such as the number of processes waiting for disk time, the number of network packets transmitted per second, and the percentage of processor utilization. With this data, you can create charts, set alerts, and format reports that enable you gauge and tune system performance. Data can be displayed as it is collected, stored in logs for later use and comparison, or both.

With Performance Monitor, you can:

View data from any number of computers simultaneously.
Receive immediate feedback on how changes that you make affect the computer.
View and dynamically change charts reflecting current-activity counter values.
Export data from charts, logs, alert logs, and reports to spreadsheet or database programs for further manipulation and printing.
Create an alert log that lists (and, optionally, notifies you) when a counter's value has passed a user-configured threshold.
Create log files containing data about various objects from different computers so you can view information gathered over time. You can use these log files to record typical or usual resource use, look for trends, and project hardware requirements (capacity planning).
Append to one file selected sections of other existing log files to form a long-term archive.
View current-activity reports or create reports from existing log files.
Save individual chart, alert, log, or report settings, or the entire workspace setup, and reuse when needed.

Despite its wide applicability, Performance Monitor does not answer every performance-tuning question. As a broad-based tool, it provides an overview of the computer's performance. Sometimes it can isolate the problem; at other times, you will use it to indicate which specialized tool (such as a profiler, a working set monitor, or a network analyzer, also called a sniffer) to use next.

Starting and Quitting Performance Monitor

Start Performance Monitor from the Administrative Tools submenu on the Start menu or from the command line. When you start Performance Monitor from the command line, you can specify a settings file. If you do not specify a settings file, Performance Monitor searches the current working folder for the default chart file, Default.pmc. The following table shows the settings file types supported by Performance Monitor and the extensions they use.

Settings file type	Settings file extension
Alert	.pma
Chart	.pmc
Log	.pml
Report	.pmr
Workspace	.pmw

You can also specify a computer name in addition to, or instead of, a settings file. That computer then appears as the default computer when you click the Add To command or the Add Counter button.

To quit Performance Monitor, click Exit on the File menu. You can save performance monitor settings for a particular view (chart, alert, log, or report), or you can save the entire workspace.

For information about saving settings, see "Saving Settings" in Performance Monitor Help.

Organizing Your Screen

Performance Monitor consists of four main windows, which you display by choosing to view Chart, Alert, Log, or Report. The same objects and counters are available for monitoring in all four views.

Cc751451.xcp_i01(en-us,TechNet.10).gif

Tip To ensure that Performance Monitor is visible over any other window on your screen, click Always On Top on the Options menu.

When selecting an object to monitor in Log view, all counters for that object and all instances of that object are monitored when you start collecting data in a log file. Later, when you view the results in one of the other view windows, you can selectively view those counters and instances that are of interest to you.

The Data From command on the Options menu enables you to manipulate an existing log file rather than view current activity (the default).

The status bar indicates the data source (current activity or the name of the log file), the size of the log file (if you are logging data), and the number of alerts that have occurred since you were last in Alert view (if you have set alerts).

For more information on working in the Performance Monitor views, see "Using Performance Monitor" later in this chapter.

For information on how to organize your screen, see "Organizing Your Screen" in Performance Monitor Help.

Understanding Counter Organization

When monitoring a system, you actually monitor the behavior of its objects. Windows NT Server uses objects to identify and manipulate system resources. Windows NT Server contains objects to represent individual processes, sections of shared memory, and physical devices.

Performance Monitor groups counters by object type. A unique set of counters exists for the processor, memory, cache, hard disk, processes, and other object types that produce statistical information. Certain object types and their respective counters are present on all systems; other counters, such as transport protocol counters, appear only if the computer is running the associated software. The following object types are available on most computers running Windows NT Server.

Cache	Paging File	Redirector
LogicalDisk	PhysicalDisk	Server
Memory	Process	System
Objects	Processor	Thread

Some object types have several instances. For example, the Processor object type will have multiple instances if a system has multiple processors. The Physical Disk has two instances if a system has two disks. Some object types (the Memory and Server) do not have instances. If an object type has multiple instances, you can add counters to track statistics for each instance, or in many cases, for all instances at once.

Cc751451.xcp_i02(en-us,TechNet.10).gif

Two object types, processes and threads, have a particularly close relationship.

Processes consist of an executable program, a set of virtual memory addresses, and a thread. When a program runs, a Windows NT process is created. A process can be an application (Microsoft Word for Windows, Corel® Draw), a service (Event Log, Computer Browser), or a subsystem (print spooler, POSIX).
Threads are objects within processes that run program instructions. They allow concurrent operations within a process and enable one process to run different parts of its program on different processors simultaneously. Each thread running on a system shows up as an instance for the Thread object type and is identified by association with its parent process. (For example, if Windows NT Explorer has two active threads, Performance Monitor identifies them as Thread object instances Explorer= =>0 and Explorer= =>1.)

Note Instances of the Process object type appear as numbers if they are internal system processes. Other types of processes are identified by the name of the executable file. Only 32-bit processes normally appear in the Instance box, and 16-bit applications running in a Virtual DOS Machine (VDM) appear only if they are started in a separate memory space.

The displayed counter values are either an average over the last two data reads or the last value for the counter. For example, counters that cover a time span, such as Memory Pages/sec, are averaged over the last two data reads (separated by the length of the time interval); whereas threshold counters, such as Process Thread Count, indicate the last value that was read.

When you first start using Performance Monitor, the number of performance counters might seem overwhelming. It is not necessary to be familiar with all performance counters. Some are appropriate only for programmers writing Windows NT platform-based applications; others are useful for vendors who need to test hardware performance.

Tip For help understanding a selected counter, click the Explain button in the Add To dialog box to display the Counter Definition box.

Top Of Page

Looking for Specific Performance Problems

System throughput problems usually occur when the demand for resources (such as microprocessors, memory, hard disks, and networking hardware and software) exceeds supply. Isolating performance problems starts with determining how users, applications, and the operating system interact with each resource. The remainder of this section focuses on counters of interest to system administrators, specifically those counters that indicate something about system and network throughput.

Watching How Applications Use System Resources

You can learn a lot about a system by seeing how various applications use memory. Focus on the %Processor Time and Working Set counters. These counters, which belong to the Process object type, are defined as follows:

% Processor Time The percentage of elapsed time that a processor is busy executing a thread for a particular process. (Notice that % Processor Time is high for the Idle process when the system is not busy.) Working Set The current number of physical memory bytes used by or allocated to a process. This value can be larger than the minimum number of bytes actually needed by the process.

Using these counters, you can generate a report that focuses on all or a subset of the applications running on a computer. The sample report shown below illustrates activity for two applications: Performance Monitor (perfmon) and Paint (mspaint).

Cc751451.xcp_i03(en-us,TechNet.10).gif

This example represents a snapshot of system activity. In a real-time report or chart, certain counter values, such as Working Set, are relatively static, whereas others, such as % Processor Time, change constantly. For example, at application startup, it's normal to see the % Processor Time value climb sharply, decrease, and then level off.

The processor activity for Performance Monitor occurred when it was time to read a new set of counter values. Counters are read at regular intervals set by the user. If you were to double the data retrieval interval and then rerun the sample Report, the % Processor Time counter would decrease by half to approximately 1.20 percent.

Although there was no activity in the Paint program, the operating system allotted memory to it because the program was started. Every program running can use a portion of physical memory — its working set. This counter value changes slowly over time depending on the activity of the application. The working set value is of particular interest when the Available Bytes counter falls below a certain threshold. (The Available Bytes counter belongs to the Memory object type.) This signifies that Windows NT Server is gradually beginning to take memory from the working sets of running applications to ensure that a certain amount of free memory exists. If large numbers of bytes are reallocated, an application's performance decreases.

The following figure shows how Windows NT Server satisfies the memory requirements of Application A by using free (available) bytes. It then begins to replenish the lack of available bytes by gradually taking memory from the working sets of less active programs (Applications B and C).

Cc751451.xcp_i04(en-us,TechNet.10).gif

You can expand sample reports and charts to include more applications and more counters. To understand system activity, watch these and other counter values while changing system activity levels.

Making Sure You Have Enough Memory

Memory usage is perhaps the most important factor in system performance. When memory demand exceeds supply, Windows NT Server moves blocks of code and data, called pages, from random access memory (RAM) to disk to free up space for a process. Some paging is acceptable because it enables Windows NT Server to use more memory than actually exists in physical memory (RAM). Constant paging, however, is a drain on system performance.

When you start Windows NT Server, it automatically creates a paging file (Pagefile.sys) on your system. Windows NT Server uses the paging file to provide virtual memory. The recommended size for the paging file is equivalent to the amount of RAM available on your system plus 12 megabytes (MB). However, the size of the file also depends on the amount of free space available on your hard disk when the file is created. You can change virtual memory settings (paging file size) using the Performance tab of the System option in Control Panel.

Depending on requirements and available disk space, the paging file can expand upward to a user-specified maximum size (also set through the Control Panel). If memory demands decrease, the paging file might shrink back to its original size. When running a large number of applications, it might be necessary to expand the paging file size. (It is more efficient to expand initial paging file size than to extend maximum file size; forcing Windows NT Server to allocate more paging file space slows the start of applications and fragments the disk.)

Checking for Excessive Paging

To confirm whether excessive paging is occurring, add the Avg. Disk sec/Transfer (a physical disk counter) and Pages/sec counter values. If the product of these counters exceeds 0.1, paging is taking more than 10 percent of disk access time. If this occurs over a long period, you probably need more memory.

Next, check for excessive paging due to running applications. If possible, stop the application with the highest working set value, and see if that dramatically changes the paging rate. If you suspect excessive paging, check the Pages/sec counter in Performance Monitor. This counter, which is part of the Memory object type, shows the number of pages that had to be read from disk because they were not in physical memory. (Notice the difference between this counter and Page Faults/sec, which indicates only that data was not immediately available in the specified working set in memory.)

Checking Paging File Size

To see if your paging file is approaching its upper limit, check the actual file size and compare it to the maximum paging file size setting in the System option in Control Panel. If these two numbers are close in value, consider increasing initial paging file size or running fewer applications.

Paging file counters offer another way to see if the size of the Pagefile.sys file is appropriate. The two counters of interest are % Usage and Usage Peak (bytes) under the Paging File object type. If the Usage Peak value approaches the maximum paging file setting, or if % Usage nears 100 percent, consider increasing the initial file size.

If multiple paging files are spread across multiple disk drives, the counter path name of each file appears as an instance of the Paging File object type. You can either add a counter for each paging file or select the Total instance to look at combined usage data for all your paging files.

Monitoring Processor Activity

A process is made up of one or more threads. Each process thread requires a certain number of processor cycles when it runs. If demand exceeds supply, long processor queues develop and system response suffers. To gauge the activity of the processor, check the % Processor Time counter (under the Processor object type). The % Processor Time counter shows the percentage of elapsed time that a processor is busy executing a non-idle thread.

If processor activity is 100 percent, you can assume that a faster processor will improve performance. However, 100 percent processor usage is not necessarily bad, unless the processor queue length is excessive. For example, one application performing a processor-intensive process can easily use 100 percent of the processors time. However, if many processes are queued up waiting for processor time, performance will suffer for all applications. To determine how many process are contributing to processor utilization, use the System Object Processor Queue Length counter. If more than a couple of application processes are contending for the majority of processor time, you might need to install a faster processor or another processor if you are using a multiprocessor system.

Acceptable processor usage can depend on computer activity. If a system is used for computational work, it is reasonable to see heavy processor usage. On servers that are busy processing many requests, sustained 100 percent processor usage is unacceptable.

The Interrupts/sec counter, which measures the rate of service requests from I/O (input/output) devices, is also an important Processor counter. If this counter value increases dramatically without a corresponding increase in system activity, it can indicate a hardware problem.

Monitoring Disk Activity

Disk usage statistics help you balance the workload of network servers. By monitoring disk activity, you can identify the most popular share points and move them to the best-performing equipment. Monitoring disk performance is also important. With proper disk I/O, strain on virtual memory is minimized, and programs run faster. Performance Monitor provides two types of disk counters:

Physical disk counters are important for troubleshooting and capacity planning.
Logical disk counters provide statistics on free space and help pinpoint the source of activity on a physical volume.

Activating Physical and Logical Disk Counters

Windows NT can provide performance data on many aspects of the system. Most of this data is collected automatically and does not require you to issue a command. The one exception is information on the performance of physical and logical disk activity on your own or another computer. Because disk counters can increase disk access time by approximately 1.5 percent on some older x86 computers, Windows NT does not automatically activate the counters at system startup.

For specific instructions on activating the physical and logical disk counters, see "Activating the Physical and Logical Disk Counters" in Performance Monitor Help.

Determining Workload Balance

To balance loads on network servers, you need to know how busy server disk drives are. Use the % Disk Time counter (under the Physical Disk object), which indicates the percentage of time a drive is active. If % Disk Time is high (over 90%), check the Current Disk Queue Length counter to see how many system requests are waiting for disk access. The number of waiting I/O requests should be sustained at no more than 1.5 to 2 times the number of spindles making up the physical disk. Most disks have one spindle, although Redundant Array of Inexpensive Disks (RAID) disks usually have more. A hardware RAID device appears as one physical disk in Performance Monitor, while RAID device created through software appear as multiple drives (instances). You can either add the Physical Disk counters for each non-RAID physical drive listed in the Instance box, or you can select _Total instance to monitor data for all the computer's drives.

If Current Disk Queue Length and % Disk Time values are consistently high, consider upgrading the disk drive or moving some files to an additional disk or server.

Note If you are using a RAID device, the % Disk Time counter can indicate a value greater than 100 percent. If it does, use the Avg. Disk Queue Length counter to determine how many system requests are waiting for disk access.

Tracking Disk Performance

The Avg. Disk sec/Transfer counter reflects how much time a disk takes to fulfill requests. A high value might indicate that the disk controller is continually retrying the disk because of failures. For most disks, high average disk transfer times correspond to values greater than 0.3 seconds. A missed disk revolution typically adds 16 milliseconds to average disk transfer time.

Cc751451.xcp_i05(en-us,TechNet.10).gif

You can also check the value of Avg. Disk Bytes/Transfer. A value greater than 20K indicates that the disk drive is generally performing well; low values result if an application is accessing a disk inefficiently. Applications that access a disk at random also raise Avg. Disk sec/Transfer times because random transfers require increased seeking time.

Monitoring Network Activity

At a minimum, network monitoring typically consists of two activities: watching server performance and measuring overall network traffic. On a Windows NT network, use Performance Monitor to track server performance and to troubleshoot if a problem occurs. If you enable the Network Monitor Agent, you can use network-related objects with Performance Monitor to analyze overall network performance.

For information on monitoring overall network traffic, see Chapter 10, "Monitoring Your Network."

Watching Server Throughput Statistics

Windows NT Workstation and Windows NT Server include networking software that enables them to act as a client or a server. Redirector software (Rdr.sys) transmits requests; Server software (Srv.sys) receives and interprets incoming messages. (Redirector and Server software are represented in the user interface as the workstation and server services, respectively.) Each computer running Windows NT also uses at least one type of protocol software to handle packet formatting and routing. Windows NT supports several protocols, including NetBEUI and TCP/IP.

The Redirector (Rdr.sys), Server (Srv.sys), and protocols (NetBEUI and TCP/IP if installed) each generate a set of statistics that appear as Performance Monitor counters. (Other protocols can also generate counters.) Abnormal network counter values often indicate problems with a server's memory, processor, or disks. For that reason, the best approach to monitoring a server is to watch network counters in conjunction with previously discussed counters, such as % Processor Time, % Disk Time, and Pages/sec.

For example, if a dramatic increase in Pages/sec is accompanied by a decrease in Bytes Total/sec handled by a server, the computer is likely running short of physical memory for network operations. Most network resources, including network adapter cards and protocol software, use nonpaged memory. If a computer is paging excessively, it could be because most of its physical memory has been allocated to network activities, leaving a small amount of memory for processes that use paged memory. To verify this situation, check the computer's system event log for entries indicating that it has run out of paged or nonpaged memory.

The following table lists various network counters. By observing these counter values over a period of time, you can gain knowledge of network operations.

Object type	Counter	Description
Server	Bytes Total/sec	The number of bytes sent and received from the computer each second. This counter indicates the computer's rate of activity.
Server Work Queues	Queue Length	The current length of the server work queue for this CPU. A sustained queue length greater than four indicates possible processor congestion. This counter is an instant read, not an average over time.
NetBEUI	Frame Bytes Received/sec Frames Received/sec	Bytes and frames sent to this computer's network address. The ratio of Frame Bytes to Frames Received (the number of bytes per frame) should remain fairly constant.
	Frames Rejected/sec	Frames received by the computer that were incorrect and therefore had to be resent. The ratio of Frames Rejected to Frames Received should be low.
NetBEUI Resource	Times Exhausted	A cumulative counter that indicates the number of times since system startup that certain network resources were unavailable. A sharp and consistent increase in values for instances 0 through 4 (links, addresses, address files, connections, and requests) usually indicates network problems.

Monitoring Overall Network Traffic

If network traffic exceeds local area network (LAN) capacity, performance typically suffers across the network. To prevent this situation, it is important to monitor network-wide traffic levels, particularly on larger networks with bridges and routers, using the Network Segment object. When monitoring network traffic, three network segment counters are of special interest.

Counter	Description
% Network utilization	Indicates how close the network is to full capacity. The threshold depends on your network infrastructure and topology. If the value of the counter is above 40 percent, collisions can cause problems.
Total frames received/second	Indicates when bridges and routers might be flooded.
Broadcast frames received/second	Can be used to establish a baseline if monitored over time. Large variations from the baseline can be investigated to determine the cause of the problem. Because each computer processes every broadcast, high broadcast levels mean lower performance.

To analyze these statistics for your network segment, install the Network Monitor Agent. The Network Monitor Agent collects statistics from the computer's network adapter card by putting it in promiscuous mode, a state in which the network adapter card can be directed by a device driver to pass on to the operating system all the frames that pass over the network. To determine if your card supports promiscuous mode, see the documentation that accompanies the card.

For instructions on installing Network Monitor Agent, see "Installing the Network Monitor Agent" in Performance Monitor Help.

Using Performance Monitor with TCP/IP Services

When Transmission Control Protocol/Internet Protocol (TCP/IP) services are installed, performance objects are added for all elements of the TCP/IP protocol suite. The following table describes the performance objects for each element.

TCP/IP Object Type	Description
FTP Server	The File Transfer Protocol (FTP) Server connection and files transfer statistics.
ICMP	The send and receive rates of Internet Control Message Protocol (ICMP) messages. The counters also describe various error counts for the ICMP protocol.
IP	The send and receive rates of Internet Protocol (IP) datagrams. The counters also describe various error counts for the IP protocol.
Network Interface	The send and receive rates of bytes and packets over a Network TCP/IP connection.
TCP	The send and receive rates of Transmission Control Protocol (TCP) segments. In addition, these counters describe the number of TCP connections in each of the possible TCP connection states.
UDP	The send and receive rates of User Datagram Protocol (UDP) datagrams. These counters also describe various error counts for the UDP protocol.
WINS Server	The rates at which Windows Internet Name Service (WINS) queries, conflicts, renewals, registrations, and releases occur.

To view counters specific to TCP/IP processes, select the appropriate object in the Add To Chart dialog box in Performance Monitor. For information about specific performance counters, click Explain.

Important To use TCP/IP performance counters in Performance Monitor, you must install the Simple Network Management (SNMP) service. The FTP Server, DHCP Server, WINS Server, and DNS Server performance objects are available only when you install both the service and the SNMP service. For more information on installing SNMP, see "Installing SNMP Service" in Help.

The FTP Server and WINS Server performance counters are cleared each time you start and stop the respective service.

Summary of Counters to Watch

The threshold values of your particular system depend on many factors:

Network infrastructure and topology
Server use (application or a file and print services)
Resource use (computational operation or disk I/O operations)

Counter values that exceed the following guideline thresholds can indicate a performance problem:

Object	Counter	Threshold
Processor	% Processor Time	85%
Server	Sessions Errored Out1	5
	Work Item Shortages	3
	Pool Paged Peak	Amount of physical RAM
LogicalDisk	% Free Space	85%
	% Disk Time	90%
Paging File	% Usage2	99%
Redirector	Network Errors/sec1,3	5 per second
	Reads Denied/sec	5 per second
	Writes Denied/sec	5 per second
	Server Sessions Hung	5
	Current Commands	Number of NICs installed plus 2
Physical Disk	Current Disk Queue Length4	Number of spindles plus 2
Server Work Queues	Queue Length4	4
System	Processor Queue Length4	2

1 To reset this counter, you must restart the server.
2 There is other information stored in the paged file that can make this counter difficult to interpret.
3 Generally indicates problems with the redirector that the server is trying to communicate with, not the computer you are monitoring.
4 Observe this counter over several intervals.

Top Of Page

Solving Performance Problems

As noted earlier, performance problems usually occur because of excessive demand for resources (typically microprocessors, disks, memory, and network components). In addition, resource shortages can occur because:

Resources are not sharing workloads evenly.
A resource is malfunctioning.
An application is monopolizing a particular resource.
A resource is incorrectly configured.

Because Windows NT Server is a self-tuning system, most performance problems are resolved by correcting one of the problems mentioned in the preceding list.

When a user complains of a performance problem, try to identify which resource is in short supply by examining key performance counters and checking event logs for possible errors. Compare the performance of network and non-network applications to see if you can isolate the source of the problems.

The objects and counters discussed in "Looking for Specific Performance Problems" should allow you to isolate the problem. Once you've identified it (there might be more than one), try to determine whether the resource is just overused, broken, or the victim of a badly written application. Take a careful look at the sources of system activity: Which processes are most active? Is one application or thread monopolizing the resource?

If you cannot solve the performance problem by changing resource use, you might be able to correct the problem by tuning Windows NT Server. If you believe you need to add or upgrade your hardware to correct a performance problem, see "Improving Performance by Upgrading Hardware" later in this chapter.

Tuning Windows NT Server Settings

An obvious way to solve performance problems is to add more resources. This method is often an unsatisfactory solution, however, because it is expensive and might not fix your problems. Before adding memory or disk drives, experiment with the following alternatives:

Create multiple paging files — one for each physical disk and controller on a system. Spreading paging files across multiple disk drives and controllers improves paging performance because each disk can issue I/O commands concurrently. If you have two disks and one paging file, put Windows NT system files on one disk and your paging file on the other. Use the System option in Control Panel to create new paging files.
Determine the correct size for your paging file. In response to paging activity, Windows NT Server expands paging file size to a user-specified maximum size (set through the System option in Control Panel). However, it is better to make sure initial paging file size matches system application requirements. Forcing Windows NT Server to expand file size slows the start of applications and fragments the disk.
Run memory-intensive applications at times when the system is not busy, or run them on your highest-performance computers.
Make sure the load on network servers is balanced. Distribute applications among servers until each computer displays reasonably equivalent values for the counters listed in the preceding table.
Configure your network so that systems shared by the same group of people are on the same subnetwork.
On servers, use Disk Administrator to create stripe sets on multiple disks. This solution increases throughput because I/O commands can be issued concurrently.
Unbind infrequently used network cards by clicking the Bindings tab in the Network option in Control Panel.
If there are no wide area network (WAN) links in the network, and if there is no need to connect to any devices other than computers running Windows NT Server, equip your servers with a small, fast protocol such as NetBEUI. If you need WAN internet capability, add the TCP/IP protocol. With both stacks supported on all servers, you can benefit from NetBEUI performance when connecting to local computers and still be able to connect over WANs to other networks. You can install additional protocols using the Network option in Control Panel.

If you are using more than one protocol, you can set the order in which the Workstation and NetBIOS software bind to each protocol (you can find the list order by choosing the Bindings button in the Network option in Control Panel). You can change the list order for one of the following reasons:
- If the protocol you use most frequently is first in the binding list, average connection time decreases.
- Some protocols are faster than others for certain network topologies. Putting the faster protocol first in the bindings list improves performance.
Note There is no reason to reorder Server bindings because the Server accepts incoming connections on the basis of the protocol chosen by the client computer.
Configure server memory settings to match network activity. This step is discussed in more detail in the following section, "Tuning Memory Settings."

For tuning suggestions related to the TCP/IP protocol and other supported protocols, see the Windows NT Server Networking Supplement.

Tuning Memory Settings

You can increase network responsiveness by tuning the memory Windows NT Server allocates for server operations. Memory settings are changed using the Network option in Control Panel.

Four memory settings are available:

Minimize Memory Used

Allows memory to be allocated for up to approximately 10 network connections.
Balance

Provides memory for up to approximately 64 connections (default).
Maximize Throughput for File Sharing

Allocates maximum memory for file sharing operations.
Maximize Throughput for Network Applications

Optimizes server memory for distributed applications that do their own memory caching, such as Microsoft SQL Server.

Consider changing memory settings if network interactions seem slow or if entries in a computer's system event log indicate that there is not enough memory for network operations. If physical memory is abundant, there is little penalty for increasing the amount of memory available for network operations. However, if physical memory is limited, such memory allocation can diminish overall system performance. Unlike user applications, which use a portion of memory that can be temporarily transferred to disk, network operations generally use nonpaged memory. The more nonpaged memory allocated to the network, the more such memory becomes scarce for the operating system and other processes that require it.

Improving Performance by Upgrading Hardware

If you isolate the source of a performance problem but cannot resolve it with one of the previously mentioned configuration changes, you might be able to improve performance by adding or upgrading hardware.

Make sure you have enough memory. Depending on the size of your network, server memory requirements range from 16 MB on up.
Install faster hard disks or disk controllers (or both).
Install a high-performance network adapter card in the server. If your server uses an 8-bit adapter card, you can significantly increase performance by replacing it with a high-performance 16-bit or 32-bit card.
Use multiple network adapter cards. Windows NT Server supports multiple adapter cards for a given protocol and multiple protocols for a given card. Although this configuration can create distinct networks that cannot communicate with one another, it is a way to increase file-sharing throughput.

Top Of Page

Planning for Additional Resources

Unanticipated network growth can result in overused resources and poor levels of network service. By characterizing system performance over time, you can justify the need for new resources before you get into a panic situation.

Capacity planning starts with daily measurement tracking. Initially, you might log at five-minute intervals throughout the day and then relog the files with the intervals increased to 15 minutes and the time window focused on the most active two hours of the days. Append these two hours' worth of information to an ongoing archive log you created.

Tracking the measurements in the following list provides a good starting point for resource planning.

Object type	Counter
Processor	% Processor Time, Interrupts /sec
System	File Read/write operations/sec
Memory	Pages/sec, Available Bytes
Server	Bytes Total/sec
Physical Disk	% Disk Time, Avg. Disk sec/Transfer
Logical Disk	% Free Space

For more information on relogging log files, see "Working With Log Files," later in this chapter.

Top Of Page

Running Performance Monitor

No matter which view you select — Chart, Alert, Report, or Log — there is a standard approach to accessing and working with information. From either your computer or another computer on the network that is running Network Monitor Agent, you can:

Delete either a full screen of information or a selected counter.
Update the display manually, set the automatic updating frequency, or switch to only manual updates.
Select the automatic updating frequency.
Press ALT+PRINTSCREEN to capture a graphical view of the current window.
Use the Export command to save the data in a tab-delimited (.tsv) or comma- delimited (.csv) text file so that you can manipulate the data in a spreadsheet or database program.

Note The time-interval settings affect the amount of memory and processor time used by Performance Monitor. Monitoring is a burden on processor time or memory only if you retrieve a lot of data very frequently from a large number of computers.

For information on	See this topic in Performance Monitor Help
Exporting data to a spreadsheet or database program	Exporting Data
Printing a snapshot of the window display	Printing a Snapshot of the Window Display
Updating the screen in any view and changing the updating method within each view	Updating the Display
Clearing the values displayed on the screen and deleting a selection	Clearing the Display vs. Deleting Selections

Charting Current Activity

Customized charts that monitor the current performance of selected counters and instances are useful when:

Investigating why a computer or application is slow or inefficient
Continuously monitoring systems to find intermittent performance problems
Discovering why you need to increase capacity

For information on using the chart view, opening an existing chart settings file, and creating a new blank chart, see "Working with Charts" in Performance Monitor Help.

Adding Counters to a Chart

Different problems require different settings. Creating charts to reflect these different requirements is a simple matter of selecting the computer to be monitored and adding the appropriate objects, counters, and instances. You can then save these selections under a file name for viewing whenever you want an update on their performance.

To enhance the readability of graphs, vary the scale of the displayed information and the color, width, and style of the line for each counter as you add it to the chart. You can also modify these properties after you add a selection.

The following table shows which options can be changed by editing the chart line

To	Select an option under
Use colors to reflect your personal preferences	Color
Change the scale at which the information is displayed	Scale
Make the line thicker or thinner	Width
Use a different style with a thin line	Style

You can change the scale at which you graph the counter information to display the activity more in the center of the chart. The scale factor is applied to all currently selected counters. The factor displayed is multiplied by the counter value, and the product is charted. However, the value bar continues to show the actual value, not the scaled value.

Performance Monitor also has a chart-highlighting feature that enhances the visibility of a selected counter by changing its on-screen color to white. To select and clear this feature, press CTRL+H.

For information on adding selections to a chart and saving chart selections in a settings file, see "Adding Chart Selections" in Performance Monitor Help.

For information on changing how a selected counter is represented on the chart, see "Changing Chart Selections" in Performance Monitor Help.

Using Chart Options

Using Chart Options, you can customize your charts and change the method used for updating the chart values. Click Chart on the Options menu, or click the Options button on the toolbar to see the Chart Options dialog box. In this dialog box, you can:

Specify whether to display or hide horizontal and vertical grid lines, vertical labels, the value bar, and the legend and legend-information area.
Change the vertical maximum value of the displayed graph labels and the time interval used for graphing the information from the counters. (The selected graph-time interval is reflected in the value bar, which also displays the last, average, minimum, and maximum values for the data visible in the chart.)
Change the display from a graph format to a histogram bar-type representation (useful for viewing the simultaneous behavior of many instances of the same object).

For information on how to change chart options, see "Changing the Chart Options" in Performance Monitor Help.

Setting Alerts on Current Activity

The Alert View enables you to continue working while Performance Monitor tracks events and notifies you as requested. Use it to create an alert log that monitors the current performance of selected counters and instances for objects on Windows NT Server.

With the alert log, you can monitor several counters at the same time. When a counter exceeds a given value, the date and time of the event are recorded in the Alert view. One thousand events are recorded, after which the oldest event is discarded when the next new one is added. An event can also generate a network alert. When an event occurs, you can have a specified program run every time or just the first time that it occurs.

For specific instructions on using the Alert view, opening and existing alert log settings file, and creating a new blank alert log file, see "Working with Alerts" in Performance Monitor Help.

Adding Counters in the Alert View

You can create alert logs to warn yourself about problems in different situations. You can then save these selections under a file name and reuse them when you want to see if the problems have been fixed.

Adding counters in alert view is similar to adding counters in other views. However, when you set an alert, you specify under what conditions an alert is logged by selecting alert logging if any counter is over or under a value you specify. You can also have Performance Monitor run a program either the first time or every time the alert is logged.

Note When you configure Performance Monitor to run a program when an alert occurs, the program might not work properly or error messages can appear. This problem occurs because Performance Monitor passes the Alert condition as a parameter to the program. If a program run from Performance Monitor does not work properly, create a one-line batch file that runs the program, and call the batch file from Performance Monitor.

When Performance Monitor is logging alerts, a list of your selections appears in the Alert Legend box at the bottom of the window. Performance Monitor displays the resulting alerts in the Alert Log box.

If an alert occurs while you are not using the Alert view, an alert symbol appears in the status bar showing the number of alerts that have occurred since you were last in the Alert view.

When a remote computer that is being monitored shuts down, an alert occurs and creates a comment in the alert log. Another alert occurs (with another corresponding comment) when that computer later reconnects.

For information on adding selections to an alert log and saving alert log selections in a settings file, see "Adding Alert Selections" in Performance Monitor Help.

For information on how to change the way a selected counter is represented in the alert log or update alert log selections that have been saved in a settings file, see "Changing Alert Selections" in Performance Monitor Help.

Using Alert Options

Choosing the Alert command on the View menu enables you to specify not only the alert interval but also the alert method. Specify one or all of the following:

Switch to the Alert view
Log the event in the Event Viewer Application log
Send a network alert message to yourself or someone else

Note To send a network alert message to yourself or someone else, the Messenger service must already be started and the network name defined on the recipient's computer.

For information on how to change alert options, see "Changing the Alert Options" in Performance Monitor Help. For more information on starting the Messenger service or adding a network name, type net start messenger /? and net name /?.

Creating Reports

The Report view lets you display constantly changing counter and instance values for selected objects. Values appear in columns for each instance. You can adjust report intervals, print snapshots, and export data.

For information on using the Report view, opening an existing report settings file, or creating a new blank report file, see "Working with Reports" in Performance Monitor Help.

Using Report Selections and Options

Creating reports using current activity can help you gain a better understanding of object behavior:

Create a report on all the counters for a given object, and then watch them change under various loads.
Create reports to reflect the same information that you are charting or to monitor other specific situations. Then save these selections under a file name, and reuse them when you need an update on the same information.

After you add selections to a report, a list of your selections by computer and object appears in the report area. Performance Monitor displays the changing values of your selections in the report.

For information on how to add objects, counters, and instances to a report or to save report selections in a settings file, see "Adding to a Report" in Performance Monitor Help.

For information on how to change the reporting time interval, see "Changing the Report" in Performance Monitor Help.

Logging Current Activity

By logging, you record information on the current activity of selected objects and computers for viewing later. You can also collect data from multiple systems into a single log file, which contains detailed data for detecting performance problems or other detailed analysis. For capacity planning, you must view trends over a longer period, which requires the capability to create a log file and to produce reports from that file. For example, create different logs to accumulate information on the performance of selected objects on various computers to be studied later. Save these selections under a file name, and reuse them when you want to create another log of the same type of information for comparison.

Setting Logging Options

The Log view has a display area for listing objects and the corresponding computers you selected with the Add To Log command on the Edit menu. All counters and instances are logged for a selected object.

Clicking the Log command on the Options menu enables you to start or stop logging and to change the method used for updating the log values.

The Log view displays a list of objects and computers along with the current file size. You can specify the following in the Log Options dialog box:

Complete path and name of the log file.
Log Interval in seconds, from 1 to 3600 seconds (1 hour).
Status, either Collecting or Closed.

After you start logging, a log symbol with the changing total file size appears on the right side of the status bar and remains there in all four views.

When a remote computer from which you are logging data shuts down, a bookmark comment is added to the log file. Another bookmark comment is added when that computer later reconnects and logging starts again.

For information on how to change log options or start or stop logging, see "Working with Information from Log Files" in Performance Monitor Help.

For information on adding selections for logging or saving your log selection settings, see "Adding to a Log" in Performance Monitor Help.

Adding Bookmarks

Log files become more usable when you add bookmarks at various points while logging. With bookmarks, you can highlight major points of interest or describe the circumstances under which the file was created. You can then easily return to these locations when you work with the log file. The Bookmark command becomes available when you start logging.

To add a bookmark, click Bookmark on the Options menu or the Bookmark button on the toolbar.

Working with Input from Log Files

Log files can provide a wealth of information for troubleshooting or planning. Whereas charting, setting alerts, and creating reports on current activity provide instant feedback, working with log files enables you to track counters over a long period of time, allowing you to examine information more thoroughly, and document system performance.

The fundamental approach to analyzing data is the same, whether your data source is current activity or a log file. You can still create charts, set alerts, and create reports. However, you can also move around in a log file (that is, change the start and stop times) by clicking the Time Window command on the view's Edit menu. The times selected apply to all four views. After you open a log file, the Time Window command on the Edit menu is available. The time window enables you to use the following methods to specify how much information you want to display:

Change the starting and stopping points by moving the corresponding end of the time interval slide bar. This method is the easiest way to adjust the time interval if you don't have bookmarks set in your log for the purpose of adjusting the time window.
Use bookmarks as starting or stopping points.

For information on	See this topic in Performance Monitor Help
Selecting an existing log file	Selecting an Existing Log File
Charting an input log file	Working with Information from Log Files
Setting alerts on an input log file	Setting Alerts on Input Log Files
Creating a report from an input log file	Reporting Based on Input Log Files
Moving around in a log file	Changing the Time Window

Relogging Input Log Files

When your data source is an existing log file, you can relog the data to another log file or to the same log file. By changing certain options when relogging, you can significantly condense large log files.

You can relog with a longer time interval either all or only selected objects in an existing log file. You can also change the start and stop times and relog only the data within that time frame.

When you direct output to an existing log file, the output is appended to the end of the file. You can use this feature to create a single archive file to manage your log files. For example, if you collected data at a one-minute interval and relogged it at a five-minute interval, you condense your data to use only 20 percent of the disk space.

Note To enable the Relog File button, you must first provide a file name and select objects to log.

For information on how to relog an input log file, see "Relogging Input Log Files" in Performance Monitor Help.

Enabling Windows NT Event Error Logging

To log Performance Monitor errors to the Event Viewer Application log, use the Registry Editor to create or assign the following registry key value:

Subtree	HKEY_CURRENT_USER
Key	\Software\Microsoft\PerfMon
Name	ReportEventsToEventLog
Type	REG_DWORD
Value	1

The change takes effect the next time Performance Monitor is started. You can update the Emergency Repair Disk to reflect these changes.

If ReportEventsToEventLog is set to 1 (the default is 0), Performance Monitor logs an error in the application event log every time it receives a counter value that is inconsistent or in error. For example, when Performance Monitor truncates a value to 0 or 100, it logs an event. The Performance Monitor events can be used to explain unexpected counter values.

For information on how to enable error logging, see "Enabling Windows NT Event Error Logging" in Performance Monitor Help.

Top Of Page

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)