Chapter 10 - About Performance Monitor
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Performance Monitor is a Windows NT 4.0 Administrative Tool for monitoring the performance of Windows NT workstations and servers. It uses a series of counters to track data, such as the number of processes waiting for disk time, the number of network packets transmitted per second, and the percentage of processor utilization. You can watch this data in real time, log it for future study, use it in charts and reports, and set alerts to warn you when a threshold value is exceeded.
What's New in Performance Monitor
.gif "Cc749850.spacer(en-us,TechNet.10).gif")
With Performance Monitor for Windows NT 4.0, several new features, new counters and a new counter type have been added. This section is intended for people familiar with Performance Monitor for Windows NT 3.51 and who just need an update.
The _Total Instance
Performance Monitor for Windows NT 4.0 has a new instance, _Total, for counters in the Process, Thread, Paging File, Physical Disk, and Logical Disk objects. _Total is the sum of counter values for all instances of the object. The _Total counters are useful for screening and are easier to read than a chart of all instances.
However, the _Total instance doesn't make sense for some counters. For example, the total of Process ID or Thread ID, has no meaning. In these cases, Performance Monitor displays a zero for the _Total instance.
You can change the name of the _Total instance by editing the configuration registry entry, TotalInstanceName.
Subtree |
HKEY_LOCAL_MACHINE |
Key |
\Software\Microsoft\WindowsNT\CurrentVersion\Perflib |
Name |
TotalInstanceName |
Type |
REG_SZ |
Values |
InstanceName (_Total is the default.) |
Monitoring Instances with the Same Name
Performance Monitor can now recognize and monitor instances of objects with the same name. If you start two copies of Microsoft Word, for example, both will appear in the instances box for the process object, and Performance Monitor can monitor both.
.gif "Cc749850.xwr_i01(en-us,TechNet.10).gif")
Note This does not apply to Alert view. You can only set an alert on the first instance of an object with the each name. All instances will appear in the Instances box for the counter, but only data collected from the first instance will trigger an alert.
Performance Monitor associates the name of a process with the first set of data it receives for that name. Any additional processes with the same name are associated with subsequent sets of data for that name.
This new ability to associate names and data might produce unreliable data when processes are stopped and new processes with the same name are started. A process might be associated with the wrong set of data.
If your data is suspect, chart Process: Process ID. If the Process ID changed during the course of the process, then data for more than once instance is combined. If you are working with logged data, you can use the Time Window to limit the data displayed to the part associated with a each Process ID. For more information, see "Monitoring Threads."
New Disk Counters
The Physical Disk and Logical Disk objects have a new set of counters designed for multidisk sets, like mirror and stripe sets and RAID (Redundant Array of Inexpensive Disk) systems.
The new disk counters, Avg. Disk Queue Length, Avg. Disk Read Queue Length, and Avg. Disk Write Queue Length use the same data as % Disk Time. However, they display the data as a decimal rather than a percentage, so it can exceed 100%. This is necessary for measuring multiple disks where total disk time often exceeds 100% of a single disk.
For more information on these counters, see "Monitoring Disk Sets" in Chapter 14, "Detecting Disk Bottlenecks."
Cache Counter Changes
This release brings a new cache counter, Cache: Read Aheads/sec and a redefinition of some original counters. For more information, see Chapter 15, "Detecting Cache Bottlenecks."
The Cache hit counters have been changed: They now measure the percentage of hits, regardless of the number of pages found. This better reflects the costs and benefits of cache hits and misses. The frequency of hits is much more important than the size of the hit.
The affected counters are:
Cache: Copy Read Hits %
Cache: Data Map Hits %
Cache: MDL Read Hits %
Cache: Pin Read Hits %
For more information, select each of these counters from the Add to Chart dialog box and click the Explain button.
Cache: Read Aheads/sec is a new Performance Monitor counter that counts read aheads in each second and averages the values over the last two timed intervals. A read ahead occurs when the Cache Manager detects that a file is read sequentially and moves larger blocks of sequential data into the cache. Read aheads are more efficient because more data is moved in each disk operation and fewer disk operations are required
Telephony Counters
Performance Monitor now includes a set of counters for monitoring telephone equipment attached to or associated with a computer, including telephones, telephone lines, and modems. Windows NT 4.0 Workstation and Server include a telephone device application program interface (TAPI) that allows Windows NT applications to communicate with telephone devices without regard to the characteristics of the device. The new Performance Monitor counters let you monitor devices that use TAPI.
The telephony counters are listed in Performance Monitor under the Telephony object. Counters include numbers of telephone devices, telephone lines, active lines, incoming and outgoing calls, and the number of applications using the telephone device.
DNS Names
Performance Monitor now includes support for long filenames of up to 260 characters. This lets you enter full Domain Name System pathnames in the Computer field for remote monitoring.
.gif "Cc749850.xwr_i02(en-us,TechNet.10).gif")
Unicode Characters
Performance Monitor will now display instances named in 16-bit per byte Unicode characters, including Kanji.
Warning Enabling Performance Monitor to read Unicode characters increases its overhead by approximately 0.65% on an Intel 486 processor.
To measure the overhead on your computer, log Process: %Processor Time for Perfmon.exe process for 3 minutes, then change the Registry to enable Unicode process names, repeat the test, and compare the results.
To enable Performance Monitor to read Unicode characters, edit the Registry by using a Registry Editor, such as Regedt32.exe. Add the CollectUnicodeProcessNames value entry, then set it to 1. Restart the computer to make it effective.
Subtree |
HKEY_LOCAL_MACHINE |
Key |
\Software\Microsoft\WindowsNT\CurrentVersion\Perflib |
Name |
CollectUnicodeProcessNames |
Type |
REG_DWORD |
Values |
0 Get ANSI names from process header (8 bit only) |
New Counter Type
Difference counters display the change in value between the last two measurements. Performance Monitor can now interpret and display the positive differences reported by these counters.
Performance Monitor doesn't include any Difference counters in its basic set, but other applications using Performance Monitor might, and you can create them for your applications. For information on writing performance counters, see the Win32 Software Development Kit.
New Troubleshooting Features
Four new troubleshooting options are available to Performance Monitor users:
You can configure Performance Monitor to log an error to the Event Viewer application event log when it fails to retrieve data or gets unreadable or uninterpretable data. This is recommended for frequent users of Performance Monitor.
You can configure the Performance Library to log its errors to the Event Viewer application event log and you can control the level of detail that it logs. Performance Library functions are the data source for Performance Monitor.
You can also determine the extent to which Performance Library tests the data buffers of extensible counters. This is recommended for users and developers of extensible counters.
With Windows NT 4.0, the Performance Library now times the Open procedure call of extensible counters and writes an error to the application event log when a time threshold is exceeded. This helps you identify counter problems that might otherwise prevent remote users from logging on to the computer.
For more information, see "Troubleshooting Features" later in this chapter.
Getting Started
Performance Monitor lets you:
View data from multiple computers simultaneously.
See how changes you make affect the computer.
Change charts of current activity while viewing them.
Export Performance Monitor data to spreadsheets or database programs, or use it as raw input for C programs.
Trigger a program or procedure, or send notices when a threshold is exceeded.
Log data about various objects from different computers over time. You can use these log files to record typical resource use, monitor a problem, or help in capacity planning.
Combine selected sections of several log files into a long-term archive.
Report on current activity or trends over time.
Save different combinations of counter and option settings for quick starts and changes.
Performance Monitor is designed as a horizontal screening tool that shows a broad view of the computer's performance. In simpler cases, it might fully identify a problem. More often, you will use it to indicate which specialized tool, such as a profiler, a working set monitor, or a network analyzer to use next.
The next sections provide some tips for using Performance Monitor. For specific instructions, see Performance Monitor Help.
Starting and Setting Up Performance Monitor
You can start Performance Monitor from the Administrative Tools submenu on the Start menu or from the command line, but if you use it often, create a shortcut to it. You can also place it in your Startup folder to start when you log on or create a batch file to start one or many copies of Performance Monitor on different computers in your network.
When you use Performance Monitor, you select object counters and options to customize each of the four Performance Monitor views: Chart, Log, Report and Alert. You can save these counter and option settings to a file and design different settings files for all of your monitoring tasks.
Note Background startup activities and network traffic can interfere with testing. Unless you are testing how your computer starts Windows NT, wait until the computer settles before testing. Also, disconnect the computer from the network if you are not testing network activity. Network drivers might respond to network events even if they are not directed to your computer.
You can save settings for one view or save a group of view settings in a workspace. This table shows the file extensions associated with each view:
View |
Settings File Extension |
|---|---|
Alert |
.pma |
Chart |
.pmc |
Log |
.pml |
Report |
.pmr |
Workspace |
.pmw |
You can start Performance Monitor with a settings file or open the settings file after you start. If you don't specify a settings file, Performance Monitor looks for default chart file settings in \Winnt40\system32\_Default.pmc. You can use only one settings file of each type at a time, but you can open multiple copies of Performance Monitor and use a different settings file or workspace with each.
You can also edit the settings file using the Setedit utility included on the CD-ROM with this book. For more information on Setedit, see Rktools.hlp.
When you start Performance Monitor from a batch file or from the command line, you can specify a one or more settings file listing the counters and options for each view. For example:
C:\> perfmon settings.pmc cachelog.pml
You can also specify a computer name in addition to, or instead of, a settings file. For example:
C:\> perfmon \\paris1
– Or –
C:\> perfmon settings.pmw \\issaquah
This computer will then appear as the default computer when you click the Add To command or Add counter button.
When you start Performance Monitor from a menu or shortcut, use the Performance Monitor File menu to open a setting file, or just drag the icon for a settings file from My Computer, Windows Explorer, or File Manager (Winfile.exe) onto the Performance Monitor icon or shortcut.
You can also create a shortcut to a settings file, or several shortcuts to settings files for different instances of Performance Monitor.
Objects and Instances
Performance Monitor measures the behavior of objects in your computer. The objects represent threads and processes, sections of shared memory, and physical devices. Performance Monitor collects data on activity, demand, and space used by the objects. Some objects always appear in Performance Monitor; others appear only if the service or process is running. Table 10.1 shows the objects that always appear when you run Windows NT 4.0 Server or Workstation.
Object name |
Description |
|---|---|
Cache |
The file system cache is an area of physical memory that holds recently used data. |
Logical Disk |
Disk partitions and other logical views of disk space |
Memory |
Random-access memory used to store code and data |
Objects |
Certain system software objects |
Paging File |
File used to back up virtual memory allocations |
Physical Disk |
Hardware disk unit (spindle or RAID device) |
Process |
Software object that represents a running program |
Processor |
Hardware unit that executes program instructions |
Redirector |
File system that diverts file requests to network servers |
System |
Counters that apply to all system hardware and software |
Thread |
The part of a process that uses the processor |
Each instance of an object represents a component of the system. When the computer being monitored has more than one component of the same object type, Performance Monitor displays multiple instances of the object in the Instance box of the Add to Chart (View, Log, or Report) dialog box. It also displays the _Total instance, which represents a sum of the values for all instances of the object.
For example, if a computer has multiple physical disks, there will be multiple instances of the Physical Disk object in Add to Chart dialog box. This dialog box shows two instances of physical disks and a _Total instance. You can monitor the same or a different set of counters for each instance of an object.
.gif "Cc749850.xwr_i03(en-us,TechNet.10).gif")
All counters for an object have the same instances. But, sometimes, the instances just don't make sense for a particular counter. For example, the totals of ordinal numbers, like _Total of Process: Process ID or Thread: Thread State, have no meaning. If you add them to you view, Performance Monitor displays the values as zeros.
Many of the instances you see are associated with Windows NT operating system processes. For more information about these processes, see "System Objects and Processes" in Chapter 9, "The Art of Performance Monitoring."
Only 32-bit processes appear in the Instances box. Active 16-bit processes appear as threads running in a Windows NT Virtual DOS Machine (NTVDM) process. However, you can run each 16-bit application in a separate NTVDM process to make monitoring easier. For more information, see "Monitoring 16-bit Windows Applications," and "Monitoring MS-DOS Applications" in Chapter 9, "The Art of Performance Monitoring."
Note Only active instances appear in the Instances box. A process must be started before you can see it in Performance Monitor. If you are charting logged data, only processes that were active when you began logging appear in the Instances box.
To chart a process that started during logging, use the Time Window to move the beginning point to a time after the process was started. The process will then appear in the Instances box. Once you select it, you can expand the Time Window to include the whole log and the process will remain selected.
Some objects are parts of other objects or are dependent upon other objects. The instances of these related objects are shown in the Instances box in the following format:
Parent object = => Child object
where the child object is part of or is dependent upon the parent object. This makes it easier to identify the object.
For example, each logical partition of a disk is shown as the child of a parent physical disk.
.gif "Cc749850.xwr_i04(en-us,TechNet.10).gif")
In this example, two physical disks, 0 and 1, are each divided into two logical disks. The instances box shows that logical disks C and G are partitions of physical disk 0, and logical disks D and E are partitions of physical disk 1.
Performance Monitor Counters
Performance Monitor doesn't really count anything. Its counters collect, average, and display data from internal counters by using the Windows NT Registry and the Performance Library DLLs. The internal counters are part of the computer hardware.
Performance Monitor collects data on various aspects of hardware and software performance, such as use, demand, and available space. You activate a Performance Monitor counter by adding it to a chart or report or by adding an object to a log. Performance Monitor begins collecting data immediately.
Note When you select a counter in any view, Performance Monitor collects data for all counters of that object, but displays only the one you select. This causes only minimal overhead, because most of Performance Monitor's overhead results from the display.
This book refers to counters by associating them with an object in the following format:
Object: Counter
For example, the % Processor Time counter of the Process object would appear as
Process: % Processor Time
to distinguish it from Processor: % Processor Time or Thread: % Processor Time.
Tip Click the Explain button in the Add To dialog box to display the definition for each counter. The Explain button works only when you are monitoring current activity, not logs.
There are three types of counters:
Instantaneous counters display the most recent measurement
For example, Process: Thread Count displays the number of threads found in the most recent measurement.
Averaging counters, whose names include per second or percent, measure a value over time display the average of the last two measurements. When you start these counters, you must wait for the second measurement to be taken before any values are displayed.
For example, Memory: Pages/sec, shows the average number of memory pages found in the last two reads during the second measured.
Difference counters subtract the last measurement from the previous one and display the difference if it is positive.
Performance Monitor doesn't include any difference counters in its basic set, but they might be included in other applications that use Performance Monitor, and you can write them yourself. For information on writing performance counters, see the Win32 Software Development Kit.
Some hardware and applications designed for Windows NT come with their own counters. Many of these extensible counters are installed automatically with the product, but some are installed separately. In addition, there are a few specialized counters on the Windows NT Resource Kit 4.0 CD that you can install. See your product documentation and Performance Monitor Help for detailed instructions on adding extensible counters.
Creating an Overview File
When you first start using Performance Monitor, the number of performance counters might seem overwhelming. It's not necessary to be familiar with all of the performance counters. Some are appropriate only for programmers writing Windows NT–based applications; others are useful for vendors who need to test hardware performance. Later chapters in this section recommend certain counters to diagnose problems on each component of your computer.
Begin by logging the Logical Disk, Memory, Process, Processor, System, and Thread objects. Run the log for at least a few days at an Update Interval of 60 seconds. Then, chart the results.
Create a chart settings file with counters that give you a broad view of your system. The default counters are a good starting point. When you open the Add To box, the Processor: % Processor Time counter is selected because this counter is used most often. Each object has a default counter which is highlighted when you select the object. These counters were selected as defaults because they are excellent indicators of the object's activity.
The following table shows the default counter for the most commonly monitored objects.
Object |
Default Counter |
Description |
|---|---|---|
Cache |
Data Map Hits % |
How often requested data is found in the cache. This is an indicator of application I/O. A poor cache hit rate may indicate a memory shortage. |
Logical Disk |
Avg. Disk Queue Length |
A measure of the activity of each logical partition of the disk. An Avg. Disk Queue Length of 1.0 indicates that the logical disk was busy for the entire sample time. Busy time includes all processing time for a disk I/O request, including driver time and time in the queue, so values for a single logical disk may exceed 1.0. |
Memory |
Pages/sec |
The number of pages between main memory and the disk drives in each second. If this counter is consistently high, memory is in short supply. Sustained paging degrades performance. |
Objects |
Processes |
An instantaneous count of the number of processes running. When charted with Processor: % Processor Time, it shows the effect on the processor of adding and removing processes. |
Physical Disk |
Avg. Disk Queue Length |
A measure of the activity of the disk subsystem. It is the sum of Avg. Disk Queue Length for all logical partitions of the disk. |
Process |
% Processor Time |
A measure of each process's use of the processor. |
Processor |
% Processor Time |
A good indicator of the demand for and efficiency of a processor. |
System |
% Total Processor Time |
Include this counter to monitor multiprocessor systems. It combines the average processor usage of all processors into a single counter. |
Thread |
% Processor Time |
Threads are the components of a process that execute its code on the processor. This counter indicates which threads are getting processor time. |
You should also include counters to monitor network throughput. The counters you choose depend upon your network protocol and whether the computer is primarily a client, a server, or both. NetBIOS: Bytes Total/sec for NWLink or Network Interface: Bytes Total/sec for TCPIP/SNMP are good overview counters.
If the computer is primarily a server, include Server: Bytes Total/sec to monitor network activity. You might also want to include Server: Context Blocks Queued/sec and System: Total Interrupts/sec.
You should also include a few alerts in the overview settings to notify you if Logical Disk: % Free Space, or Memory: Available Bytes falls below 20%, or if System: Processor Queue Length exceeds 3.
Save these counters in a workspace settings file, like Overview.pmw, so you can start them easily. They will provide a broad view of the performance of your computer.
Customizing Your Display
You can minimize the Performance Monitor display to keep it handy without cluttering up your work. This is a great way to monitor an application while using it or to watch several copies of Performance Monitor at once.
Use the Options menu to remove the Toolbar, Status Bar, Title Bar, Value Bar, Vertical Labels and Legend. Select the Always on Top option, and then shrink the window. Use hot keys to control the window, or double-click to display the title bar and menus.
.gif "Cc749850.xwr_i05(en-us,TechNet.10).gif")
In this figure, two copies of Performance Monitor are running; one displaying a graph, the other, a report. The Excel spreadsheet displays data exported to it from Performance Monitor.
There are several reasons to start more than one copy of Performance Monitor:
To monitor data from more than one computer
To compare a current activity to logged activity
To divide a busy chart into two or more readable charts
To log data to two separate log files
To peek at a running log file
Important Opening a log that is collecting data will stop the log and clear all counter settings. You can't peek at the log from chart or report view because the views share the same data source. Changing the Data From option affects all views, even the running log.
To peek at a running log, start a second copy of Performance Monitor, and set Data From to the running log. You can chart or report on all data logged until the time you open it. Newly collected data will not be added to your snapshot of the log file.
Although each copy has its own overhead, it might be worthwhile to get the data you need. You can also measure the overhead of the Performance Monitor process, Perfmon.exe, and subtract it from your results. You can also run Performance Monitor on a different workstation and chart the logfiles over a network.
The readability of charts is also improved by reducing the vertical maximum and/or increasing scale values. This will make small values easier to see.
Histograms, an alternative to the line charts, also simplify complex charts, especially ones with many instances of the same counter. Just click the Histogram button in Chart Options.
Running Performance Monitor
No matter which view you choose—Chart, Alert, Report, or Log—there are standard features built in to make Performance Monitor more flexible. From your computer, or another computer on the network, you can
Use the Update Interval to determine how often performance is measured. There is a tradeoff between the precision of the data and Performance Monitor overhead.
Use the PRINTSCREEN key to save a bitmapped image of the Performance Monitor screen. You can then print it or insert it in a document.
Clear the display, delete a counter, or delete the full screen.
Export the data in a tab delimited (.tsv) or comma delimited (.csv) text file to a spreadsheet or database program.
For specific instructions on these topics, see Performance Monitor Help.
Charting Current Activity
Customized charts that monitor the current performance of selected counters and instances are useful when:
investigating why a computer or application is slow or inefficient.
continuously monitoring systems to find intermittent performance problems.
discovering why you need to increase capacity.
For specific instructions on using the chart view, opening an existing chart settings file, and creating a new blank chart, see the "Working with Charts" topic in Performance Monitor Help.
Adding Counters to a Chart
Different graphs require different settings. Creating charts to reflect these different requirements is a simple matter of selecting the computer to be monitored and adding the appropriate objects, counters, and instances. You can then save these selections under a filename for viewing whenever you want an update on their performance.
To enhance the readability of graphs, vary the scale of the displayed information and the color, width, and style of the line for each counter as you add it to the chart. You can also modify these properties after you add a selection.
The following table shows which options can be changed by editing the chart line:
Option |
Description |
|---|---|
Color |
Use colors to distinguish lines in a graph from each other. |
Scale |
Change the scale at which the information is displayed. The numbers shown in the value bar are not scaled. |
Width |
Make the line thicker or thinner. Thick lines, however, cannot be styled. This is especially useful to distinguish a line in a graph when it will be printed or displayed in black and white. |
Style |
Make a graph line dashed or dotted. This only works on the thinnest lines. |
You can change the scale of any displayed value to make it easier to see in a chart or to allow you to compare it with another value. The scale factor is applied to all currently selected counters. The factor displayed is multiplied by the counter value, and the product is charted. However, that the value bar continues to show the actual value, not the scaled value.
You can also change the vertical maximum on a graph to make very large or small values noticeable. This often reveals details of a curve that are hidden when the line is compressed on one axis.
Highlighting changes the line selected in a Performance Monitor chart legend to a thick white line for easy viewing. As you scroll through the legend the highlight moves with you. To toggle highlighting on and off, press CTRL+H.
For specific instructions on adding selections to a chart and saving chart selections in a settings file, see the "Adding Chart Selections" topic in Performance Monitor Help.
For specific instructions on changing how a selected counter is represented on the chart, see the "Changing Chart Selections" topic in Performance Monitor Help.
Using Chart Options
By using Chart Options you can customize your charts and change the method used for updating the chart values. Click Chart on the Options menu, or click the Options button on the toolbar to see the Chart Options dialog box. From here you can:
Choose whether to display or hide horizontal and vertical grid lines, vertical labels, the value bar, and the legend and legend-information area.
Change the vertical maximum value of the displayed graph labels and the time interval used for graphing the information from the counters. The chosen graph-time interval is reflected in the value bar, which also displays the last, average, minimum, and maximum values for the data visible on the chart.
Change the display from a line graph to a histogram. This is useful for viewing the behavior of many instances of the same object.
For specific instructions on how to change chart options, see the "Changing the Chart Options" topic in Performance Monitor Help.
Setting Alerts on Current Activity
The Alert view enables you to continue working while Performance Monitor tracks events and notifies you as requested. Use it to create an alert log that monitors the current performance of selected counters and instances for objects on Windows NT.
With the alert log you can monitor several counters at the same time. When a counter exceeds a given value, the date and time of the event are recorded in the Alert view. One thousand events are recorded, after which the oldest event is discarded when the next new one is added. An event can also generate a network alert. When an event occurs, you can have a specified program run every time or just the first time that it occurs.
Note You cannot set alerts on two conditions of the same counter for the same instance. For example, you cannot set an alert to be triggered when Processor: %Processor Time on a single processor exceeds 90% and another to be triggered when it falls below 30%.
Also, you cannot set an alert on more than one instance of an object with the same name. For example, if you are running two processes with the same name, you can only set an alert for the first instance of the process. Both instances will appear in the Instances box, but only data collected from the first instance will trigger the alert.
For specific instructions on using the Alert view, opening an existing alert log settings file, and creating a new alert log file, see "Working with Alerts" in Performance Monitor Help.
Adding Counters in the Alert View
You can create alert logs to warn yourself about problems in different situations. You can then save these selections under a filename and reuse them when you want to see if the problems have been fixed.
Adding counters in Alert view is similar to adding counters in other views. However, when you set an alert, you specify under what conditions an alert is logged by choosing to have an alert logged if any counter is over or under a value you specify. You can also have Performance Monitor run a program either the first time or every time the alert is logged.
The alert condition applies to the value of the counter over the time interval you specify. The default time interval is 5 seconds. If you set an alert on Memory: Pages/sec > 50 using the default time interval, the average paging rate for a 5-second period has to exceed 50 per second before the alert is triggered.
Note When you configure Performance Monitor to run a program when an alert occurs, the program might not work properly or error messages might appear. This problem occurs because Performance Monitor passes the Alert condition, as a parameter, to the program. If a program run from Performance Monitor does not work properly, create a one line batch file that runs the program, and call the batch file from Performance Monitor.
When Performance Monitor is logging alerts, a list of your selections appears in the Alert Legend box at the bottom of the window, and Performance Monitor displays the resulting alerts in the Alert Log area.
If an alert occurs while you are not using the Alert view, an alert icon appears in the status bar showing the number of alerts that have occurred since you were last in the Alert view.
When a remote computer that is being monitored shuts down, an alert occurs and creates a comment in the alert log. Another alert occurs (with another corresponding comment) when that computer later reconnects.
For specific instructions on adding selections to an alert log and saving alert log selections in a settings file, see the "Adding Alert Selections" topic in Performance Monitor Help.
For specific instructions on how to change the way a selected counter is represented in the alert log, or to update alert log selections that have been saved in a settings file, see the "Changing Alert Selections" topic in Performance Monitor Help.
Using Alert Options
Choosing the Alert command on the Options menu enables you to specify not only the alert interval but the alert method, as well. Specify one or all of the following:
Switch to the Alert view
Log the event in the Event Viewer Application log
Send a network alert message to yourself or someone else
Note To send a network alert message to yourself or to someone else, the Messenger Service must already be started and the net name must already be defined on the recipient's computer.
For specific instructions on how to change alert options, see the "Changing the Alert Options" topic in Performance Monitor Help. For more information on starting the Messenger Service or adding a net name, type net start messenger /? and net name /?.
Creating Reports
The Report view lets you display constantly changing counter and instance values for selected objects. Values appear in columns for each instance. You can adjust report intervals, print snapshots, and export data. Reports of averaged counters show the average value during the Time Window interval. Reports of instantaneous counters show the value at the end of the Time Window interval.
For specific instructions on using the Report view, opening an existing report settings file, or creating a new blank report file, see the "Working with Reports" topic in Performance Monitor Help.
Using Report Selections and Options
Creating reports using current activity can help you gain a better understanding of object behavior:
Create a report on all the counters for a given object and then watch them change under various loads.
Create reports to reflect the same information that you are charting or to monitor other specific situations. Then save these selections under a filename and reuse them when you need an update on the same information.
After you add selections to a report, your selections, listed by computer and object, appear in the report area, and Performance Monitor displays the changing values of your selections in the report.
For specific instructions on how to add objects, counters, and instances to a report or to save report selections in a settings file, see the "Adding to a Report" topic in Performance Monitor Help.
For specific instructions on how to change the reporting time interval, see the "Changing the Report" topic in Performance Monitor Help.
Logging Current Activity
Logging is recording information on the current activity of selected objects and computers for later viewing. You can also collect data from multiple systems into a single log file. Log files contain detailed data for detecting performance problems or other detailed analysis. For capacity planning, it lets you view trends over a long period, and append or relog files. You can chart, report, or export log file data to compare files or examine patterns.
Important Opening a log that is collecting data will stop the log and clear all counter settings. You can't peek at the log from chart or report view because the views share the same data source. Changing Data From affects all views, even the running log.
To peek at a running log, start a second copy of Performance Monitor, and set Data From to the running log. You can chart or report on all data logged until the time you open it. Newly collected data will not be added to your snapshot of the log file.
Setting Logging Options
Log view has a display area for listing objects and their corresponding computers you selected with the Add To Log command on the Edit menu. All counters and instances are logged for a selected object.
Choose the Log command on the Options menu to fill in or change the information shown in the gray boxes in the Log view, to start or stop logging, and to change the method used for updating the log values.
The Log view displays a list of objects and computers along with the current file size and the following items that you can specify in the Log Options dialog box:
Complete path and name of the log file
Log Interval in seconds, from 1 to 3600 seconds (1 hour)
Status, either Collecting or Closed
After you start logging, a log symbol with the changing total file size appears on the right side of the status bar and remains there in all four views.
Notice also that when a remote computer from which you are logging data shuts down, a bookmark comment is added to the log file. Another bookmark comment is added when that computer later reconnects and logging starts again.
For specific instructions on how to change log options or start or stop logging, see the "Working with Information from Log Files" topic in Performance Monitor Help.
For specific instructions on adding selections for logging or saving your log selection settings, see the "Adding to a Log" topic in Performance Monitor Help.
Adding Bookmarks
Log files become more usable when you add bookmarks at various points while logging. With bookmarks you can highlight major points of interest or describe the circumstances under which the file was created and then easily return to these locations when you work with the log file. The Bookmark command becomes available when you start logging.
To add a bookmark, click Bookmark on the Options menu or click the Bookmark button on the toolbar.
Working with Input from Log Files
Log files can provide a wealth of information for troubleshooting or planning. Whereas charting, setting alerts, and creating reports on current activity provide instant feedback, working with log files enables you to track counters over a long period of time, allowing you examine information more thoroughly, and document system behavior.
The method of analyzing data is the same, whether the source is current activity or a log file. You can still chart, report and set alerts on data. In addition, you can relog the data at the same or at a shorter interval to compress it, and you can use the Time Window to view a selected portion of the logged data.
Appending and Relogging Log Files
You can append and relog log files in several ways:
You can add data to an existing log file.
You can relog the data to another log file or to an existing log file at a different rate.
You can relog some or all objects in the log file at a longer time interval or change the start and stop times and relog only the data between them.
When you log current activity to an existing log file, the new data is just added to the end of the file. This lets you create a single archive file composed of multiple logs.
However, when you relog data, you can choose a new rate at which the data is collected and averaged. For example, if you collected data at a one-minute interval and relogged it at a five-minute interval, every fifth data point is collected, and the others are discarded. All minimum, maximums, and averages reflect the remaining data only and the new logfile uses only 1/5 of the disk space of the original file.
Note Data in a log must be in chronological order. If you are relogging to combine existing log files, be sure to relog them in chronological order.
To enable the Relog File button, enter a filename and select at least one counter to log. For specific instructions on how to relog an input log file, see the "Relogging Input Log Files" topic in Performance Monitor Help.
Troubleshooting Features
Windows NT 4.0 includes four new troubleshooting features that warn you when Performance Monitor, or its data source, Performance Library, collect uninterpretable data, or when extensible counters threaten the operating system or session.
Tip Extensible Counter List (Exctrlst.exe), a tool on the Windows NT Resource Kit 4.0 CD in the Performance Tools group (\PerfTool\CntrTool), lists the extensible counters installed on a computer. It can be used on the local or a remote computer. For more information, see Rktools.hlp.
You can configure Performance Monitor to log warnings and errors to the Windows NT Event Viewer application event log when it fails to retrieve data or receives uninterpretable data. This is highly recommended for frequent users, because the event log is the only clear indicator that Performance Monitor has encountered bad data. Performance Monitor event logging is turned off by default.
You can also configure the Windows NT Performance Library, the source of Performance Monitor data, to log its errors to the application event log and control the detail of events logged. The default is to log errors only, but if experience trouble with extensible counters, you might want to increase the logging level.
You can determine how thoroughly Performance Library tests the data buffers returned by extensible counters, and adjust this value based on your estimation of the reliability of your counters. The default is maximum testing.
Performance Library now times the Open procedure calls of extensible counters and writers an error to the Event Viewer application event log if the call exceeds a time threshold. You can increase the time threshold (the default is five seconds) to prevent unnecessary logging of normal delays, or shorten it to monitor the actual time of the calls.
This section explains each of these features. The troubleshooting features of Performance Monitor reveal the importance of its data source, the Windows NT Performance Library.
The Performance Library is dynamic link library of functions grouped by object. To collect counter data, Performance Monitor calls the Windows NT Registry which requests the data by using Performance Library functions. Performance Library functions request information from the Windows NT Executive, particularly from the Hardware Abstraction Layer (HAL), a platform-specific DLL. The Performance Library associates the system data with each performance object and returns data for each object to Performance Monitor.
.gif "Cc749850.xwr_i06(en-us,TechNet.10).gif")
When Performance Library fails to retrieve data or encounters data errors or invalid data, these problems become apparent only in Performance Monitor.
Logging Performance Monitor Errors
When Performance Monitor fails to get data it requests, or when it receives uninterpretable data, it displays a zero as the counter value for that request. The data request might have failed because of a malfunction or simply because the computer or application it was monitoring had stopped. Data considered uninterpretable includes negative times, negative performance values, or percentages greater than 100.
Performance Monitor does not alert the user when it gets bad data or no data. However, you can configure Performance Monitor to log these incidents to the Event Viewer application event log as errors and warnings.
Note If Performance Monitor receives no data or bad data for the Processor: % Processor Time or the System: % Total Processor Time counters, it displays 100% as the counter value, not zero. Performance Monitor actually monitors the thread of the Idle process on each processor. It calculates the difference between 100% and the percentage of time the Idle threads ran. If a request for data on an Idle thread fails, Performance Monitor assumes it is zero and displays the difference, 100%, as the counter value.
Performance Monitor logs warnings and errors when it fails to retrieve data or receives bad data, and when connections to remote computers it is monitoring are lost and restored. Performance Monitor logging is either on or off; there are no intermediate or more detailed levels.
To log Performance Monitor errors and warnings to the Event Viewer application event log, use a Registry Editor, such as Regedt32.exe. Add the ReportEventsToEventLog value entry or change its value to 1, and then restart Performance Monitor.
Subtree |
HKEY_CURRENT_USER |
Key |
\Software\Microsoft\PerfMon |
Name |
ReportEventsToEventLog |
Type |
REG_DWORD |
Values |
0, 1 (0 is the default) |
After you have enabled Performance Monitor event logging and restarted the system, check the Event Viewer application event log routinely. You can use the Find or Filter Events options to display events with Source = PERFMON.
Many warnings and errors are attributable to normal and expected events such as processes or computers being stopped. Also, counters for threads are prone to uninterpretable values when the threads are stopped.
However, if Performance Monitor is logging negative time errors, there might be a problem with your HAL DLL. In the past, this has been encountered in some HALs for multiprocessor computers.
For more information on thread counters, see "Monitoring Threads and Processes."
Logging Performance Library Errors
Error events logged by the Performance Library often result from problems with extensible counters. These usually involve failures in loading or executing the functions in the DLLs for the counters.
By default, Performance Library logs errors in loading and executing extensible counters to the Event Viewer application event log, but it does not log warnings or informational messages. If you are monitoring an application using counters that did not come with Windows NT, or if you are having trouble loading or reading these counters, check the Event Viewer application log routinely. If you find errors, you can increase the logging level to show more detail.
Performance Library logging levels are:
Logging Level |
Description |
|---|---|
0 |
No logging. |
1 |
Errors only. (This is the default.) |
2 |
Errors and warnings. |
3 |
Errors, warnings, information, and success/failure conditions. |
To change the Performance Library logging level, use a Registry Editor, such as Regedt32.exe. Add the EventLogLevel value entry or change its value, and then restart Performance Monitor.
Subtree |
HKEY_LOCAL_MACHINE |
Key |
\Software\Microsoft\WindowsNT\CurrentVersion\Performance Library |
Name |
EventLogLevel |
Type |
REG_DWORD |
Values |
0, 1, 2, 3 |
Note Changes to the Performance Library logging level take effect on the local computer when its copy of Performance Monitor is restarted. If remote computers are monitoring the system, then the local computer needs to be restarted or remote sessions need to be restarted to see the change.
Check the Application Event Log routinely. You can use the Find or Filter Events options to display events with Source = PERFLIB.
If you encounter errors with extensible counters, consult the provider.
Testing Extensible Counter Buffers
The functions in extensible counters might return inconsistent or unreadable data buffers to Performance Library. At a minimum, this could result in invalid counter values; at its worst, it could cause the operating system to stop. Thus, by default, Performance Library tests these data buffers thoroughly for errors and internal consistency. However, these tests have some overhead, so Windows NT lets you reduce the level of testing.
If you are not using extensible counters or if your extensible counters have been proven to be reliable, reducing the test level will reduce the processor load. If, however, you install a new product with performance counters, or if the system is being used to develop or test extensible counters, you can increase the test level.
Performance Library has three levels for testing the data buffers returned by functions of extensible counters. Note that 1 represents the highest level and 3 represents the lowest level.
Test level |
Description |
|---|---|
1 |
Thorough testing of buffer pointers and contents. (This is the default.) |
2 |
Minimal testing of overall buffer length and pointers, but not of contents. |
3 |
No testing. |
To adjust the test level , use a Registry Editor, such as Regedt32.exe, to add or change the ExtCounterTestLevel value entry, and then restart Performance Monitor.
Subtree |
HKEY_LOCAL_MACHINE |
Key |
\Software\Microsoft\WindowsNT\CurrentVersion\Perflib |
Name |
ExtCounterTestLevel |
Type |
REG_DWORD |
Values |
1, 2, 3 |
Check the Application Event Log routinely. You can use the Find or Filter Events options to display events with Source = PERFLIB.
If you encounter errors with extensible counters, consult the provider.
Timing Extensible Counters
Windows NT 4.0 Performance Library now times the Open procedure call of all extensible counters and writes an error to the Event Viewer application event log if the call time exceeds a threshold. The log entry helps you to identify counters that may be delaying or locking Performance Monitor during initialization. While the open call proceeds, local users cannot use Performance Monitor and remote users cannot log on to the affected computer. Usually this takes just a few milliseconds.
Tip Extensible Counter List (Exctrlst.exe), a tool on the Windows NT Resource Kit 4.0 CD in the Performance Tools group (\PerfTool\CntrTool), displays the names of the Open, Collect, and Close procedure calls of the extensible counters installed on a computer. For more information, see Rktools.hlp.
You can adjust the time threshold to allow more time for slower calls that are not in error. Only the Open calls of extensible counters are timed. Standard Performance Monitor counters and other calls to extensible counter functions are not affected.
To change the time threshold, use a Registry Editor, such as Regedt32, to add or change the OpenProcedureWaitTime value entry in the Registry, and then restart the computer.
Subtree |
HKEY_LOCAL_MACHINE |
Key |
\Software\Microsoft\WindowsNT\CurrentVersion\Perflib |
Name |
OpenProcedureWaitTime |
Type |
REG_DWORD |
Values |
0 - 4 billion, in milliseconds. The default is 5000 milliseconds (5 seconds). |
Remember to check the Event Viewer application event log for errors and to clear the log periodically to save space on the disk.
Mastering Performance Monitor
Work with Performance Monitor for a few days. Create a few workspace and settings files, and watch the counters. Soon you'll have a better feel for your computer's performance and for Performance Monitor. Then, it's time to explore Performance Monitor's more advanced features.
One the best features is that you can run multiple copies of Performance Monitor on the same computer at the same time. Simply click the Performance Monitor icon, or your shortcut to it, again. Each time you click it, you get another copy of Performance Monitor:
You can log data to only one log file with each copy of Performance Monitor, but you can chart or report on a single log file with multiple copies of Performance Monitor.
You can have one copy measuring current activity, and another copy logging it.
You can chart logged data in one copy and report on it in another.
You can drag the icon for the same setting file to multiple copies of Performance Monitor.
This section describes the fine points of using Performance Monitor and will help you discover its range and its limitations.
Performance Monitor Limitations
As you use Performance Monitor and other monitoring tools, remember their limitations. Understanding the range and resolution of your tools is essential to accurate diagnosis.
Counter Limits
It's important to know just what your counters are counting. In each section of this book, we try to mention how the counters measure as well as what they measure. This information is important, especially when you are interpreting suspicious data or getting inconsistent results.
Update Interval
The Update Interval you select on the Options dialog box is designed to determine how often Performance Monitor measures counter values. However, Performance Monitor is just another application contending for processor time. On a busy computer, Performance Monitor might be competing with higher priority threads for access to the processor and might not be able to update the counters as frequently as you choose.
If Performance Monitor appears to be updating less frequently, chart the Process: % Processor Time or Process: Priority Base counters on all processes, including the Performance Monitor process, Perfmon.exe. Look for processes with high priorities or those getting a disproportionate share of processor time. These might be preventing Performance Monitor from updating at the rate you chose. Performance Monitor runs at a elevated base priority to make sure it can monitor under most circumstances, but it can get locked out like any other process. If necessary, you can use Task Manager to increase the base priority class of Perfmon.exe. For more information, see "Changing the Base Priority Class" in Chapter 11, "Performance Monitoring Tools."
Compound Problems
It is difficult to detect multiple bottlenecks in a system. You might spend several days testing and retesting to identify and eliminate a bottleneck, only to find that another appears in its place. Only thorough and patient testing of all elements can assure that you have found all of the problems.
It is not unusual to trace a performance problem to multiple sources. Poor response time on a workstation is most likely to result from memory and processor problems. Servers are more susceptible to disk and network problems.
Also, problems in one component might be the result of problems in another component, not the cause. For example, when memory is scarce, the system begins moving pages of code and data between disks and physical memory. The memory shortage is manifest in increased disk and processor use, but the problem is memory, not the processor or disk.
Lack of memory is by far the most common cause of serious performance problems in computer systems. If you suspect other problems, check Memory: Pages/sec to make sure a memory shortage is not appearing in another guise.
Monitoring Processes and Threads
Monitoring processes and threads is an essential part of tuning software performance and understanding how applications affect your hardware. However, some Performance Monitor counter values might be invalid if the threads or processes are stopping and starting while Performance Monitor is watching.
When processes with the same name start and stop, Performance Monitor sometimes mistakes them for a single process and combines the data for different processes into a single graph or report line. Threads are even more prone to mistaken identity and combination, because Performance Monitor knows them only by their thread number, a number which only indicates the order in which the threads started.
Fortunately, you can recognize and eliminate errant values from your data:
Include the Process ID and Thread ID counters in graphs of your data. These are ordinal numbers assigned to processes and threads when they start, and which remain with them until they stop. If the line representing the ID is not straight, it means that data for more than one process is combined.
When monitoring processes and threads, watch for spikes in the data. These spikes sometimes appear when Performance Monitor monitors the start of a process. They are an artifact of monitoring and do not represent valid values for the Performance Monitor counters.
Always chart the data in a line graph first, even if you are preparing a report. Reports and histograms show last values and averages, which might hide a spike.
Use the Performance Monitor Time Window to eliminate spikes from your data and to separate the data for different processes or threads from a single data line. For more details, see "The Time Window" later in this chapter.
Monitoring Processes
It is important to recognize when Performance Monitor has combined processes and to distinguish the values for each process from values for the others. Also, you must recognize and eliminate invalid data spikes which sometimes occur when you start a monitored process.
Data for the following graph was collected by starting Microsoft Word, stopping it, then starting it again. The thick line, representing Process ID, shows that the process ID changed (from 126 to 114). Because Process IDs do not change while a process is executing, this indicates that data from two different processes are represented in the same line. A graph of Process ID data is straight unless it represents data from more than one process.
.gif "Cc749850.xwr_i07(en-us,TechNet.10).gif")
The thin line, representing page fault rates for the Microsoft Word process, Winword.exe, has two large spikes of unusually high values, as reflected in the status bar. These spikes don't represent page faults; they happen when processes with the same name stop and start.
Performance Monitor counters that measure rates/second or percentages actually display the change in value of an ever increasing internal counter associated with each object. When a process stops, the internal counter drops to zero and the change, as reported to Performance Monitor, is the absolute value of the largest long integer the computer's memory holds. Performance Monitor politely displays a zero.
However, when a new process starts, the difference between this huge number and the new thread value is displayed, causing the high value. The next value, the average of the last two, falls back to a more reasonable number.
The high values are not valid, nor are averages that include them. You can use the Performance Monitor Time Window, described later in this chapter, to exclude them from your sample. The remaining data is valid, but you might want to separate the data for the first process from data for the second process.
Monitoring Threads
Threads don't have names. They have thread numbers and Thread IDs. Performance Monitor collects and displays data on threads by process name and thread number. The thread number just indicates the order in which the threads started, beginning with 0. When a thread stops, the thread numbers of all of the threads behind it move up. For example, if a process has two threads, numbered 0 and 1, and thread 0 stops, thread 1 becomes thread 0. If Performance Monitor is watching, the counts for thread 0 now include data from both the old thread 0 and the new one.
Note Do not confuse the terms used to identify threads and processes. Here are some descriptions to help you distinguish among them.
Thread number is an ordinal number assigned to threads in a process to show the order in which the thread started. A thread's thread number changes when threads with lower numbers stop, because the thread number of all later threads move up to fill in the gap.
Thread ID is also an ordinal number which has no intrinsic association with a thread, but it remains with a started thread until it stops.
Process ID, like Thread ID, is an ordinal number which has no intrinsic association with a process, but it is assigned to the process when it starts and remains with it until it stops. When the process starts again, it is just as likely to be assigned a different number.
That is what happened when data for this graph was collected.
.gif "Cc749850.xwr_i08(en-us,TechNet.10).gif")
The spikes are a warning that the context switching rates shown for the threads might be invalid. This graph also includes the system-level counter for context switches, which runs at an average of about 200 context switches per second. Since the values in the spikes of Thread #4 are higher than system totals, it is clear that the high values represent threads starting and stopping, not context switches.
A graph of Thread ID confirms this guess. Thread ID, like Process ID (but unlike thread number), is assigned to the thread by the operating system and remains with it until it stops running.
.gif "Cc749850.xwr_i09(en-us,TechNet.10).gif")
Each spike in the context switch graph coincides with a change in the thread ID. Thread 123 is the first thread identified to Performance Monitor as Thread #4. When it stops, data from Thread 143, which used to be Thread #5, is now collected as Thread 4. When Thread 143 stops, Thread 166, formerly Thread #5, now becomes thread #4.
These characteristic spikes are sufficient warning that some data is invalid, but they don't always appear. The following figure shows a different view of the same process.
.gif "Cc749850.xwr_i10(en-us,TechNet.10).gif")
This is a graph of Thread ID and context switches for Thread #5 of the same process. In this case, the Thread IDs change, indicating that data from more than one thread is combined. However, there are no large spikes, even though the values are multiplied by 10, because none of the threads stopped while they were being monitored.
Each time the thread in Thread #4 stops, the fifth thread becomes Thread #4 and Thread #5 inherits a thread from Thread #6. The little peaks show the difference in the values of two running threads.
Although there are no spikes, data from this graph should still be distinguished by Thread ID and the data surrounding the thread transitions should be discarded. For more information on selecting data, see "The Time Window" later in this chapter.
Using Extensible Counters
Extensible counters are Performance Monitor counters that don't come with Windows NT. They come with other applications you run on Windows NT, or you can build them yourself with help from the Windows NT Software Developer's Kit. Extensible counters are usually installed when you install the product, but you might need to install them separately. For more information, consult the manuals that come with the product.
Tip Extensible Counter List (Exctrlst.exe), a tool on the Windows NT Resource Kit 4.0 CD in the Performance Tools group (\PerfTool\CntrTool), lists the extensible counters installed on a computer. It can be used on the local or a remote computer. For more information, see Rktools.hlp.
The Windows NT Resource Kit 4.0 CD provides some extensible counters that must be installed separately (for example, those that monitor Pentium processors). The help files for the Resource Kit CD, Rktools.hlp, explain how to install them, and the "Pentium Counters" section of this chapter describes some common uses.
Regardless of their source, extensible counters must be monitored carefully. Damaged data buffers could damage the operating system. If you use extensible counters, consult "Troubleshooting Features," earlier in this chapter.
The Time Window
The Time Window lets you view selected portions of data from your log. When you change the Time Window interval, Performance Monitor recalculates all values, including minimum, maximum, and average values to match the selected time interval. The Time Window command on the Edit menu is activated when you are working with data from a log. It is available in all four views and the time selected applies to all views.
The Time Window is essential to viewing computers, processes, and threads that are started when the log is already in progress. When you graph data from a log, only those objects active when the log starts are visible. To see data on objects started later, you must advance the Time Window to a time when the object was active. After you select counters for the object, you can re-expand the Time Window to see the whole log.
The Time Window interface simplifies the process. When you click Time Window on the Edit menu, the Input Log File Timeframe dialog box appears. Unfortunately, it appears right on top of your graph. Move it to the side so you can see both the graph and the dialog box.
When you move the left and right slider tabs on the slider bar, gray vertical lines appear on the graph to show you which part of the data occurred at that time. You can click and drag the slider tabs with your mouse or use the arrow keys for more precise control.
The arrow keys work like this:
[left] |
Moves begin time bar [left] |
Shift + [left] |
Moves end time bar [left] |
[right] |
Moves end time bar [right] |
Shift [right] |
Moves begin time bar [right] |
After you have the slider tabs set to a certain time interval, for example, one minute, you can click the space between the tabs and drag the one-minute interval across the graph.
Among its other functions, the Time Window lets you
Limit your view of a log file to 100 points or less so no data is lost.
Monitor objects that started during logging.
Eliminate invalid data.
Limit your charts and reports to specific events.
Coordinate two copies of Performance Monitor so that they are reporting on the same data.
This section explains how to use the Time Window for precise control of Performance Monitor logs.
Recovering Lost Data Points
Charts and reports of log files are limited to 100 data points. If more data points are collected, the data is compressed to 100 points. For example, if 1000 data points are collected, Performance Monitor displays every 10th point. This loss of precision is most important when you are charting instantaneous counters.
You can narrow the Time Window to make all data points for that portion of the data visible, and then view the remainder of the data separately or in another copy of Performance Monitor.
Tip Set the slider bar tabs to 100 data points, then click the space on the slider bar between the tabs and drag the 100-point interval to surround the parts of the graph you want to examine in more detail.
The following figure shows the Time Window being adjusted on a chart of the instantaneous counter System: Processor Queue Length. More than 100 data points were recorded, so the data is compressed. The Time Window lines bracket the one section of the curve.
.gif "Cc749850.xwr_i11(en-us,TechNet.10).gif")
The following figure shows the graph that results when you narrow the Time Window to just a portion of the data. Here all of the data points in this part of the curve are visible, revealing more detail.
.gif "Cc749850.xwr_i12(en-us,TechNet.10).gif")
Monitoring Objects that Start During Logging
Only active objects appear in the Instances box of Performance Monitor counters. In logged data, objects that weren't active when the log started do not appear in the Instances box until the Time Window is adjusted. In order for the object to appear as an instance, you must adjust the Time Window interval to start after the object is started. After you have selected counters for the instance, you can expand the Time Window to show the whole log, and the instance remains monitored.
Note When monitoring threads that start and stop as the process proceeds, it is important to use the Time Window to search through the data for thread starts. Do not assume that all threads are apparent at the start of the process. After you have set at least one counter for each thread, you can expand the Time Window to show all of them.
For example, when you chart data from a log that includes the start of an process, the process does not appear in the Instances box if the Time Window interval begins before the process starts, even if the Time Window interval includes the start. When you adjust the Time Window interval to begin when the process is active, you can monitor it.
.gif "Cc749850.xwr_i13(en-us,TechNet.10).gif")
In this figure, the Time Window is adjusted to begin after the process starts so additional counters can be added. After the new counters are added, the Time Window can be expanded again.
Eliminating Invalid Data
You can use the Time Window to eliminate invalid or unwanted data from a sample. Simply set the Time Window interval to include only the data you want in your sample. All Performance Monitor statistics are recalculated to include only the data within the Time Window interval, including the data shown in averages, reports, and histograms.
.gif "Cc749850.xwr_i14(en-us,TechNet.10).gif")
In this example, data is being limited to an interval during which a single thread is active. The resulting graph, below, shows that the data spikes that skewed the previous averages are eliminated.
.gif "Cc749850.xwr_i15(en-us,TechNet.10).gif")
Precision Graphing
The Time Window lets you limit your reports to the most significant parts of the event. For example, when reporting on averages, it's vital to exclude startup and shutdown values which might skew the averages.
The following combined graph and report represent data logged before, during, and after a test. Notice the values shown in the report and then compare them to the values shown in the report section of the next figure.
.gif "Cc749850.xwr_i16(en-us,TechNet.10).gif")
The following graph and report of the same event is limited to the test period. It was created by setting the Time Window to exclude the period before and after the test.
.gif "Cc749850.xwr_i17(en-us,TechNet.10).gif")
Coordinate Multiple Performance Monitors
The preceding figures were created by using two copies of Performance Monitor reading data from the same logfile. (To open a second copy of Performance Monitor, just double-click the Performance Monitor icon again.)
The Time Window helps to assure that the two copies are reporting on the same data. Arrange the windows on the screen so that they don't overlap. Click the Time Window menu option on each, then move the slider bars so that both copies reflect the same input data. Use the arrow keys for more precise control of the slider bar.
.gif "Cc749850.xwr_i18(en-us,TechNet.10).gif")
This figure shows the Input Log file Timeframe dialogs of two copies of Performance Monitor being coordinated.
Use the Time Window and other features of Performance Monitor to get the views you need and the precision you demand.
Hot Keys
The following list contains the hot keys for Performance Monitor functions:
Hot Key |
Function |
|---|---|
[left] and [right] |
Expand and contract the Time Window one data point at a time. |
BACKSPACE |
Highlight current selection in legend. |
CTRL+A |
Switch to Alert view. |
CTRL+B |
Create bookmark. |
CTRL+C |
Switch to Chart view. |
CTRL+E |
Open Time Window. |
CTRL+G |
Display or hide legend. |
CTRL+L |
Switch to Log view. |
CTRL+M |
Display or hide menu and title bars. |
CTRL+O |
Open Options dialog box. |
CTRL+P |
Always on top. |
CTRL+R |
Switch to Report view. |
CTRL+S |
Display or hide status line. |
CTRL+T |
Display or hide toolbar. |
CTRL+U |
Manual update now. |
CTRL+W |
Save workspace. |
F1 |
Help. |
F12 |
Save settings As. |
SHIFT+F12 |
Save settings. |
CTRL+F12 |
Open file. |
TAB |
Add counter to (Chart, Alert, Log, or Report). |
Tips and Tricks
You might find the following Performance Monitor tips helpful. They are collected here for ease of reference.
Check memory first
Lack of memory is by far the most common cause of serious performance problems in computer systems. If you suspect other problems, check Memory: Pages/sec to make sure a memory shortage is not appearing in another guise.
Logging data
You can log data to only one log file with each copy of Performance Monitor. To log different objects to different files, open a second copy of Performance Monitor.
Peeking at a log file
Opening a log that is collecting data will stop the log and clear all counter settings. You can't peek at the log from chart or report view because the views share the same data source. Changing data from affects all views, even the running log.
To peek at a running log, start a second copy of Performance Monitor, and set data from to the running log. You can chart or report on all data logged until the time you open it. Newly collected data will not be added to your snapshot of the log file.
Monitoring the start of a process - current activity
Processes and threads don't appear in Add to Chart as instances until they are started. To monitor the startup of a process or thread, start the process, select its instance in Add to Chart, and add whatever counters you'll use to monitor the startup behavior. Now, stop the process. Its counters remain on the chart and Performance Monitor continues to look for it. Start the process again. Performance Monitor recognizes any application with the same name and begins monitoring immediately.
Monitoring the start of a process - logfile data
Processes and threads appear in the Instances box only if the Time Window includes the time the process was active. To monitor the logged activity of a process as it starts, move the Time Window to include the active phase of the process, add the instance, then expand the Time Window.
Delay in monitoring
When you add a counter to a chart, you'll notice a slight delay before the chart begins to draw. The averaging counters need two data points for their first value. The chart should begin after the second data point is measured.
Responding to alerts
Do not start a command-line batch file from the Alert dialog box. (The > and < signs passed to the batch file will be interpreted improperly as a redirection of stdin and stdout.) Instead, create a one-line batch file that runs the program, and call the batch file from Performance Monitor.
Performance Monitor overhead
To determine how much disk space is consumed by each Performance Monitor log update interval, choose Manual Update from the log options. Take a series of snapshots and note the change in the log file size between each snapshot. The log file size is displayed on the status bar in Log view.
Discard the first value (because it includes an index record that makes it larger than usual), and average the other values. Performance Monitor writes an index record with counter names on the first snapshot and then every 100th snapshot thereafter.
You can also measure the cost of monitoring particular objects by recording the change in file size while adding and deleting those objects from a chart.
You can also monitor the Performance Monitor process by using Task Manager, PMON or PViewer, and vice versa.
Finding missing data
Logged data is displayed over 100 data points, whether shown in a chart, histogram, or report format. If the log file contains fewer than 100 data points, all are displayed. However, if it contains more, the data is compressed to show 100 points. For example, if there are 1000 data points, every 10th point is displayed. To see missing data points, shrink the Time Window until all data is displayed.
Exporting the data will also uncover the missing data points. When you export, Performance Monitor sends all data whether it appears in the graph or not.
Performance Monitor settings
The quickest way to open Performance Monitor with a settings file is to create a shortcut to the settings file and then double-click it.
To change the settings quickly, drag the icon of a settings file to a running copy of Performance Monitor. Remember, though, if your settings file includes a log file, starting a second instance of Performance Monitor with the same settings will stop any active logging to that file by other Performance Monitor instances. Only one Performance Monitor can write to the log file at a time.
You can also edit the settings file using the Setedit utility on the Windows NT Resource Kit CD-ROM.
Default settings file
If you don't start Performance Monitor with a settings file, it searches for the chart file, _Default.pmc. If it doesn't find it, it opens a blank Performance Monitor window. You can name your favorite settings file _Default.pmc, and it will load whenever you open a blank copy.
Monitoring disks
When testing disk performance, log Performance Monitor data to another disk or computer so that it doesn't interfere with the disk you are testing.
When using Response Probe to test disk performance, set the FILEACCESSMODE parameter in the Thread Description file (*.scr) to UNBUFFERED. This tells the system to bypass the cache and go directly to disk. When using UNBUFFERED, remember that the number of bytes in RECORDSIZE must be a multiple of the disk sector size.
Interpreting zero values
Performance Monitor displays a value of zero when it fails to get data it requests and when it receives unreadable or meaningless data. It is hard to distinguish this error default value from actual values of zero. However, you can configure Performance Monitor to log errors to the Event Viewer application event log. For more information, see the section titled "Troubleshooting Performance Monitor."
Tiny footprint
You can minimize the Performance Monitor display to keep it handy without cluttering up your work. This is a great way to monitor an application while using it. Use the Options menu to remove the Toolbar, Status Bar, Vertical Labels and Legend, if you wish. Select the Always on Top option. Then shrink the window. Use hot keys to control the window, or double-click to display the title bar. You can save this setting and place it in your Startup group.
Controlling the Time Window
Use the left and right arrow keys to shrink and expand the Time Window in the Input Log Timeframe dialog. This lets you change the Time Window one data point at a time. The left arrow key controls the left button on the slider bar, and the right arrow key controls the right button. Press the arrow key alone to expand the time measured, or press SHIFT+arrow key to contract it.
Troubleshooting Performance Monitor
Here are the answers to some frequently asked questions, along with possible causes and suggested solutions.
Counter value is zero.
Possible causes |
Suggested solutions |
|---|---|
The counter for the same instance of the object already appears in the graph. When a duplicate counter is chosen, all data collected is displayed for the first copy. |
You cannot have more than one copy of the same counter for the same instance of the same object. Delete one of copies. |
The remote computer you are monitoring is offline. |
No action required. Performance Monitor continues trying to monitor the instance and will find it when the computer is restarted. |
The application or thread you are monitoring has stopped. |
No action required. Performance Monitor continues trying to monitor the instance and will find it when the process or thread is restarted. |
When an internal counter from which Performance Monitor collects data returns a negative or invalid value, Performance Monitor displays a zero. |
Enable Performance Monitor event logging. Performance Monitor will then report any negative or invalid values to the Event Viewer application event log. For more information, see "Logging Performance Monitor Errors." |
The counter value in my report is different than the value of the same counter in my graph.
Possible causes |
Suggested solutions |
|---|---|
You are reporting on an instantaneous counter value that decreases to zero at the end of the graph. Reports of instantaneous counters display the last value collected. Reports of averaged counters display the average of collected values. |
In Log view, use the Time Window to change the end time on the graph to a more representative part of the curve. If you need to see more than just the end value in report form, export the graph to a spreadsheet. |
Charts and reports of logged data sometimes collect different samples of the same data. |
This sampling variance usually is less than 0.1, which is close to the resolution limit of the counters. |
Averages of data for the Hit% counters on the Cache object are calculated differently in charts than in reports. Data for value bar in Chart view is calculated by averaging all changes during the test interval. The value displayed in Report view is the average of the difference between first and last counter values during the test interval. |
|
I had an application running while I was logging data, but when I graph data from the log, the application doesn't appear in the Instances box.
Possible causes |
Suggested solutions |
|---|---|
Applications that are not active when the log starts don't appear in the Instances box until you adjust the Time Window interval, even if the interval displayed includes the start time. |
Use the Time Window to advance the beginning of the measured interval to a point when the application was active. Select at least one counter for the application. Now, use the Time Window to expand the interval so you can see all logged data. The application will continue to be monitored and all data will be accurate. |
My log stopped when I tried to chart a different log.
The Data From option applies to all views. When you switch to Chart view and change the data source from current activity to a log file, the log no longer can collect data about current activity. |
You can start a second copy of Performance Monitor and chart from a closed log file. However, you cannot chart a log file while it is collecting data. |
All values for my disks are zero, but I know they are active.
Possible causes |
Suggested solutions |
|---|---|
The counters for the Physical and Logical Disk objects don't work until you install the Disk Performance Statistics Driver in your I/O Manager disk stack. |
Use the Diskperf utility to install the Disk Performance Statistics Driver, then restart the computer and try again. For information about Diskperf, see "Enabling the Disk Counters" in Chapter 6, or see Performance Monitor Help. |
I have several disks, but values are only shown for the first disk in the set.
Possible causes |
Suggested solutions |
|---|---|
When you ran Diskperf, you used the standard option, diskperf -y, which places the statistics collector above the fault tolerant driver, FTDISK. The statistics collector cannot see the different physical instances of the disk. |
Run Diskperf using the diskperf -ye option, then restart the computer. This places the statistics collector below the fault tolerant driver so it can see physical disks before they are combined into a volume set. |
How do I figure out which line represents which item in the graph?
Possible causes |
Suggested solutions |
|---|---|
Graphs can get busy. Use the highlight feature to help you. |
Press the backspace key to highlight the graph line or bar corresponding to the counter selected in the legend. As you scroll through the legend, the highlight moves to the corresponding line or bar in the graph. |
Where is Performance Monitor? I started it, but cannot find it.
Possible causes |
Suggested solutions |
|---|---|
Performance Monitor starts in the same condition it was in when you closed it. If you closed it while it was minimized, it comes up the same way. If your taskbar is hidden, it's hard to find it. |
Point to the taskbar area to make it reappear, then click the Performance Monitor icon on the taskbar to start it. |
Performance Monitor won't let me set an alert for an instance of a counter even though it appears in the Instances box.
You can set an alert only on the first instance of an object with a given name. If you have multiple instances with the same name, all instances will appear in the Instances box for the counter, but only data collected from the first instance will trigger an alert. |
I set two alerts, each for different values of the same counter for the same instance. Although both thresholds were exceeded, Performance Monitor reported alerts on only one.
You cannot set more than one alert on a counter for the same instance of an object. Data collected for that instance is compared only to the alert that was set first. |
Explain button is grayed out.
Possible causes |
Suggested solutions |
|---|---|
Explanatory text is not available when you are working with data from a log file. |
To see the Explanatory text for a counter, open a second copy of Performance Monitor with the Data From field set to current activity. |
Start Log button is grayed out.
Possible causes |
Suggested solutions |
|---|---|
At least one object must be selected for logging to enable the Start Log button. |
Select at least one object to be logged, and try again. |
%Disk Read Time and %Disk Write Time don't sum to %Disk Time
Possible causes |
Suggested solutions |
|---|---|
All disk counters include time in the queue. When the queue gets long, the read and write time both include that time and don't sum to 100. |
|
%Disk Read Time:_Total and %Disk Write Time_Total sum to more than 100% because you have more than one instance of the physical or logical disk. |
The percentage counters are limited, by definition to 100% and cannot display higher values. Use the Avg. Disk Read Queue Length, Avg. Disk Write Queue Length, and Avg. Disk Queue Length counters instead. These report on the same data as the %Disk Time counters, but display the values in decimals that can exceed 1.0. |
Why is there a _Total instance on the ID counters? What would a total ID Thread counter show?
Items in the Instances box are the same for all counters of an object. |
Process: Pool Nonpaged Bytes:_Total doesn't equal Memory: Pool Nonpaged Bytes
Possible causes |
Suggested solutions |
|---|---|
The Memory: Pool Nonpaged Bytes value comes from an internal counter that counts each byte. The Process: Pool Nonpaged Bytes counters are estimates from the Object Manager. The Object Manager counts accesses, not space, so its counts include requests to duplicate object handles as well as space for the object. |
Ignore the static value of the counters and, instead, monitor any changes in the values. |
Where is the Processor Queue Length Counter?
It's a System object counter. There is just one processor queue for all processors. |
Counter values for instances of an object are greater than those for the total.
Possible causes |
Suggested solutions |
|---|---|
The %Disk Time and %Processor Time counters are limited, by definition, to 100%. If you have multiple disks or processors, each could equal 100%, but the total counter cannot display the sum. |
Monitor the physical instances separately. For disks, use the Avg. Disk Queue Length counters instead of the %Disk Time counters. These display the totals as decimal, not percentages, so they can exceed 1.0. |
Values during spikes in the data are not included in the totals. Data spikes sometimes appear when threads and processes stop and start. They are artifacts of monitoring, not valid data. |
Add the Process ID and Thread ID counters to your chart and use the Time Window to limit the data displayed a single instance of the process or thread. For details, see "Monitoring Processes and Threads" in this chapter. |