Management Infrastructure

Applies To: Windows Server 2008

Windows includes a rich set of services and technologies that together provide a complete Management Infrastructure. You can use the services to access management information, performance information, events and errors, schedule tasks, and perform both local and remote management tasks. Leverage this infrastructure to build custom solutions that address your particular management needs.

Hierarchy of Managed Entities

Managed Entities

Name Description

Windows Event Collector Service

The Event Collector service creates and maintains remote event subscriptions. Each subscription can connect to multiple remote computers that act as event sources, and each subscription can have an event filter associated with it so that only the events that are selected by the filter are delivered by the subscription. The Event Collector service persists the subscriptions, and the service and subscriptions can be managed by functions in the Event Collector software development kit (SDK).

The Event Collector service uses the WS-Management protocol to communicate with the event sources and to transfer events. The Event Collector service also uses the local Event Log service to save the events it receives.

Event Subscriptions

An event subscription uses a query to filter events that are found in a set of event sources, and the events are delivered from the sources to the computer that started the subscription. The delivered events are stored in the local computer event log.

Event Source

An event source is a remote computer that delivers events to the Event Collector service based on the query in the event subscription. Each subscription uses the same query to connect to multiple event sources.

Windows Event Log Service

The Event Log service maintains a set of event logs that the system, system components, and applications use to record events. It must also register event providers and the configuration of the system that is required for events and event traces to be delivered to their destination (event logs and trace files).

The service exposes functions that enable programs to maintain and manage the event logs, configure event publishing, and perform operations on the logs, such as archiving and clearing.

Administrators can maintain event logs and perform administrative tasks using the Wevtutil command-line utility and the Event Viewer MMC plug-in. These operations require administrator privileges. The same utilities allow viewing the contents of the logs and viewing the current status of the service and the logs. These operations may also require administrative privileges, depending on the security descriptor of the log.

Event Providers

Event Providers publish events to event logs. Providers are registered with the event logging and tracing subsystem of the Windows operating system. Their definition contains information required to interpret these events and to display readable strings that are associated with them.

Event Channel

A channel is a pathway that events take between an event publisher and a log file. There is normally a single log file associated with a channel, although there may not be a log file created for channels that have not had any events published to them.

Primary Channels

The System, Application, Setup, and Security channels are the primary channels. Each of these channels correspond to an event log that can be viewed in the Event Viewer. The System and Application channels are used by publishers to log administrator-level events. Such events indicate system or application-wide issues. When error or warning events are published to these channels, the events should indicate that the administrator should take an action to resolve the issue. The Setup channel is used for events associated with setup and installations. The Security channel is the repository of the system audit events.

Security Channel

The Security log is the repository for the system audit events. These events describe security-related actions performed by the operating system (OS) and various components of the OS. The level of detail of the audit events depends on the system configuration settings. The number of events in the Security channel can be large. The events serve a number of purposes, from diagnostics to forensic investigations. Error events found in the Security channel can indicate that the system security is compromised. The system may be configured to restart when errors with the Security log are found.

IPMI Hardware Instrumentation

The Microsoft Intelligent Platform Management Interface (IPMI) driver and WMI IPMI provider supply data from the baseboard management controller (BMC) operations to the operating system.

The IPMI provider and driver perform the following operations remotely. These operations do not depend on the computer CPU, system BIOS, or operating system:

Monitoring

  • BMC sensor data or events from remote computers can be monitored either through the operating system (in-band) or by obtaining data directly from the BMC (out-of-band).

Logging

  • The IPMI provider lets you access the events recorded in the BMC System Event Log (SEL). Each event corresponds to a LogRecord instance in the IPMI provider classes. You can view these events by using the Event Collector tool, Wecutil.cmd. SEL events appear in the Hardware Events Log in the Windows Event Log. You can write custom events, such as retrieving bug check data and shutdown information, to the SEL.

Windows Performance Counters

Microsoft Windows Server 2008 includes operating system performance counters that are installed and enabled by default. These performance counters are collected and used by Windows Reliability and Performance Monitor, as well as by non-Microsoft applications.

Performance Subsystem

The Windows performance subsystem supports the collection of performance counters that are provided in the operating system and by non-Microsoft vendors in support of their applications. It includes the performance counters themselves, Performance Data Helper, Performance Logs and Alerts, and the performance library.

Task Scheduler Service

The Task Scheduler service enables you to perform automated tasks on a computer. With this service, you can schedule any program to run at any time or when a specific event occurs. The Task Scheduler monitors the time or event criteria that you choose and then executes the task when those criteria are met.

The Task Scheduler service controls when tasks are activated, and hosts the tasks that are started by the service. By default, the Task Scheduler service is started when the operating system starts up.

Task Scheduler Tasks

A task is the scheduled work that the Task Scheduler service performs. A task is composed of different components, but a task must contain a trigger that the Task Scheduler uses to start the task and an action that describes what work the Task Scheduler will perform.

Task Scheduler Backward Compatible Tasks

A backward compatible task is compatible with Task Scheduler 1.0.  Task Scheduler 1.0 is used in the Windows XP, Windows Server 2003, and Windows 2000 operating systems.

Task Scheduler Engine

A Task Scheduler engine performs the actions scheduled through the Task Scheduler.

Task Scheduler Backward Compatibility Module

Task Scheduler 1.0 is used in Windows XP, Windows Server 2003, and Windows 2000 operating systems. Task Scheduler 1.0 tasks can be converted to Task Scheduler 2.0 tasks and used on the Windows Vista and Windows Server 2008 operating systems. This conversion is performed through the Task Scheduler backward compatibility module. 

WinRM Infrastructure

Windows Remote Management (WinRM) is an implementation of the WS-Management protocol for Windows operating systems. It is implemented as a Web service and uses the Simple Object Access Protocol (SOAP). It is used for remote management of hardware and software.

WinRM Service

The WinRM service processes WSMan requests received over the network. It uses HTTP.sys to listen on the network.

WMI Infrastructure

Windows Management Instrumentation (WMI) is an infrastructure for distributed management of computers running on a Windows operating system. The infrastructure is a standards-based model specified by the Desktop Management Task Force (DMTF).

WMI Service

The WMI Service is the Windows implementation of a Common Information Model Object Manager (CIMOM) as defined by the Desktop Management Task Force (DMTF). It mediates the interactions between a client application using WMI and the WMI repository and providers.

The WMI service should be automatically started by the Service Control Manager (SCM).