Monitoring and Performance in Windows 7

Lesson 1: Monitoring Systems

As an IT professional with at least one year’s experience, you will have come across some of, if not all, the tools and utilities described in this lesson. Windows 7 offers tools to measure performance, set baselines, identify bottlenecks, display resources, measure system stability and reliability, and so on.

It is sometimes not easy to select the right tool for the job. Often you can use several tools to obtain the same information or carry out the same configuration, but one of them does it more efficiently than the others. It is relatively straightforward to use one or more tools to gather information about a computer system. Interpreting that information may be more difficult. This lesson attempts to split the various tools into different functional groups and describe how the tools in each group complement each other.

Performance Monitoring and Reporting

Monitoring performance data and comparing it to established baselines is crucial to determining the health of your client computers, as is examining events in the event logs. Many events are informational, but you should not ignore them because of that. Your skill and experience as an administrator must determine what you should address and what you can safely ignore. You should never ignore warning and error events that indicate real and immediate problems.

As an IT professional, you probably have experience with Windows performance tools such as Performance Monitor and the Reports tool. You might not be familiar with DCSs that use performance counters to generate performance logs and can, in turn, be read by Performance Monitor and the Reports tool. DCSs provide a replacement for Performance Logs and Alerts in earlier operating systems.

Your aim is to monitor and improve performance, identify potential bottlenecks, and upgrade the appropriate resources. You especially want to identify sources of critical performance problems that could make a computer unacceptably slow or completely unusable.

Performance Monitor

In Windows 7, you can open Performance Monitor by accessing Control Panel, specifying All Control Panel Items, selecting Performance Information And Tools, clicking Advanced Tools in the Performance Information And Tools window, and clicking Open Performance Monitor. However it is easier to type perfmon in the Start menu search box (or at a command prompt). The Performance dialog box lets you access Performance Monitor, DCSs, and the Reports tool. Select Performance Monitor on the tree pane.

You can add counters by clicking the green + button on the Performance Monitor toolbar, expanding the object (such as Memory), selecting the counter, and clicking Add. You can specify whether you want to display a single instance of a counter or a total of all instances. For example, if a computer has more than one CPU, you could select a counter that monitors the usage of a single CPU or a counter that monitors total CPU usage. Figure 13-1 shows Performance Monitor displaying real-time data.

Each line on the graph appears in a different color. To make it easier to view a specific graph, select its counter and press Ctrl+H. The selected counter appears bold and in black on the graph. To change the appearance and refresh rate of the chart, right-click Performance Monitor and then select Properties. The five tabs of the Performance Monitor Properties dialog box provide access to different configuration options, as follows:

• General In the Graph Elements group, you can adjust the Sample Every box to change how frequently the graph updates. You can also specify whether the Legend, Value Bar, and Toolbar are displayed and whether the Report and Histogram views show Default, Maximum, Minimum, Average, or Current values. Figure 13-2 shows the General tab.

  

  FIGURE 13-2 The General tab of Performance Monitor Properties

• Source On this tab, you can choose whether to display current activity in real time or show log files that you have saved using a DCS

• Data On this tab, in the Counters list, select the counter that you want to configure and adjust Color, Width, and Style.

• Graph By default, Performance Monitor begins overwriting graphed counter values on the left portion of the chart after the specified duration is reached. If you want to record counter values over a long period of time, you likely want to see the chart scroll from right to left. To do this, select the Scroll style. You can also select one of the following chart types by clicking the Change Graph Type button on the toolbar or by pressing Ctrl+G:

  • Line This is the default setting and shows values as lines on the chart.

  • Histogram This shows a bar graph with the current, maximum, minimum, or average counter values displayed. If you have a large number of counters, a histogram is easier to read than a line chart.

  • Report This lists the current, maximum, minimum, or average counter values in a text report.

• Appearance If you keep multiple Performance Monitor windows open simultaneously, you can use this tab to change the color of the background or other elements.

Data Collector Sets

Data collector sets (DCSs) gather system information, including configuration settings and performance data, and store it in a data file. You can use Performance Monitor to examine the data file and analyze detailed performance data, or you can generate a report that summarizes this information.

Windows 7 includes the following built-in DCSs:

• System Performance You can use this DCS when troubleshooting a slow computer or intermittent performance problems. It logs processor, disk, memory, and network performance (Internet Protocol versions 4 and 6) counters and kernel trace data.

• System Diagnostics You can use this DCS when troubleshooting reliability problems such as problematic hardware, driver failures, or STOP errors. It logs all the information included in the System Performance DCS, plus detailed system information. Figure 13-3 shows some of the counters included in the System Diagnostics data set.

To use a DCS, right-click it and then select Start. The System Performance DCS has a default overall duration of 1 minute. The System Diagnostics DCS collector set has a default overall duration of 10 minutes. To stop a DCS manually, right-click it and then click Stop.

After running a DCS, you can view a summary of the data that it has gathered in the Performance Monitor\Reports node. To view the most recent report for a DCS, right-click the DCS and then click Latest Report. You can then view the report by accessing it in the Reports node, as shown in Figure 13-4.

You can also add performance counter alerts to DCSs. This enables you to monitor and detect an alert, which you can then use to start a batch file, send you an e-mail, or call you on a pager. For example, if you configured an alert to trigger when free space on a logical volume falls below 30 percent, you could add this to a DCS and use it to trigger a batch file that archives the data on the volume.

Data logging uses a large amount of system resources, and performance log files can become very large. To minimize the performance impact of performance data logging, log the minimum amount of information you require. For example, use System Performance instead of System Diagnostics whenever possible because System Performance includes fewer counters.

Creating a Data Collector Set

If you have a performance problem or want to analyze and possibly improve the performance of a client computer, you can use DCSs to gather performance data and compare it against your baselines. The following high-level procedure creates a custom DCS:

1. In the Performance Monitor console (not the Performance Monitor tool that you can access from the console), expand Data Collector Sets, right-click User Defined, select New, and then select Data Collector Set. This starts the Create New Data Collector Set Wizard.

2. On the Create New Data Collector Set page, specify a name for the set. Ensure that Create From A Template (Recommended) is selected. Click Next.

3. On the Which Template Would You Like To Use? page, choose from one of the standard templates (Basic, System Diagnostics, or System Performance). Click Next.

4. On the Where Would You Like The Data To Be Saved? page, click Next to accept the default location for the data.

5. On the Create The Data Collector Set page, leave Run As set to the default to create and run the DCS using the logged-on user’s credentials. Alternatively, click Change and specify alternative administrative credentials.

6. Select one of the following three options, and then click Finish:

   • Open Properties For This Data Collector Set

   • Start This Data Collector Set Now

   • Save And Close

Custom DCSs are located under the User Defined node within Data Collector Sets. You can schedule when a DCS runs and configure its stop conditions. You can also start a DCS manually by right-clicking it and selecting Start.

Customizing Data Collector Sets

A custom DCS logs only the performance data defined in the template that you choose. To add your own data sources to a DCS, you must update it after you create it.

To add a performance data source (such as a performance counter) to a DCS, right-click the DCS, select New, and then select Data Collector. The Create New Data Collector Wizard opens. On the What Type Of Data Collector Would You Like To Create? page, specify the data collector name, select the type, and then click Next. You can choose from the following types of data collectors:

• Performance Counter Data Collector This type of data collector enables you to collect performance statistics over long periods of time for later analysis. You can use it to set baselines and analyze trends.

• Event Trace Data Collector This type of data collector enables you to collect information about system events and activities.

• Configuration Data Collector This type of data collector stores information about registry keys, Windows Management Instrumentation (WMI) management paths, and the system state.

• Performance Counter Alert This type of data collector (sometimes termed an Alert data connector) enables you to configure an alert that is generated when a particular performance counter exceeds or drops below a specific threshold value.

You can add as many data collectors to a DCS as you need. To edit a data collector, select it in the Data Collector Sets\User Defined node. In the Details pane, right-click the data collector and click Properties.

If a DCS includes performance counters, you can view the counter values in Performance Monitor by right-clicking the report, clicking View, and then clicking Performance Monitor. Performance Monitor then displays the data logged by the DCS rather than real-time data.

Creating Data Collectors from the Command Prompt

You can create data collectors from an elevated command prompt by using the Logman utility. For example, you can use the following commands to create the various types of data collector listed in the previous section:

• Logman create counter This command creates a Performance Counter data collector. For example, the logman create counter my_perf_log -c “\Processor(_Total)\% Processor Time” command creates a counter called my_perf_log that records values for the % Processor Time counter in the Processor(_Total) counter instance.

• Logman create trace This command creates an Event Trace data collector. For example, the logman create trace my_trace_log -o c:\trace_log_file command creates an event trace data collector called my_trace_log and outputs the results to the C:\trace_log_file location.

• Logman create cfg This command creates a Configuration data collector. For example, the Logman create cfg my_cfg_log –reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\ command creates a configuration data collector called my_cfg_log using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion registry key.

• Logman create alert This command creates an Alert data collector. For example, the logman create alert my_alert -th “\Processor(_Total)\% Processor Time>90” command creates an alert called my_alert that fires when the % Processor Time performance counter in the Processor(_Total) counter instance exceeds a value of 90.

You can also use the Logman utility to query data collector output; for example, the logman query “my_perf_log” command lists the data collectors contained in the my_perf_log DCS. You can start and stop DCSs, for example, by using the commands logman start my_perf_log and logman stop my_perf_log. You can delete a DCS, for example, by using the command logman delete my_perf_log, and you can use logman update to update a performance counter, a trace counter, an alert, or a configuration. Logman enables you to export the information in DCSs to and import information from an XML file.

Generating a System Diagnostics Report

When you create and use a DCS, you generate a report that is placed in User Defined Reports in the Reports tool in the Performance Tools console. However, the Reports tool also contains a system diagnostic report, sometimes known as a computer health check (although the term health check is more commonly used on server rather than client computers).

A system diagnostics report gives you details about the status of hardware resources, system response times, and processes on the local computer, along with system information and configuration data. You would generate a system diagnostics report if you were looking for ways to maximize performance and streamline system operation. You need to be a member of the local Administrators group or equivalent to generate a system diagnostics report.

If you use the Performance Tools console to look at the system diagnostics report, you see a copy of that report the last time it was compiled. To generate and display a system diagnostic report that is completely up to date, enter the following into the Search box on the Start menu:

perfmon /report

If you prefer, you can instead enter perfmon.exe /report in an elevated command prompt. Whatever method you choose, the command generates a diagnostics report (this typically takes 60 seconds) and displays it in the Resource and Performance Monitor, as shown in Figure 13-5. You can scroll down the report and expand any of its sections.

For example, expanding the failed basic system check called Hardware Device And Driver Checks in the Resource and Performance Monitor results in the screen shown in Figure 13-6, which indicates there are problems with three of the Plug and Play (PnP) devices.

You can expand Performance, Software Configuration, Hardware Configuration, CPU, Network, Disk, Memory, and Report Statistics. For example, expanding Software Configuration lets you access more information, as shown in Figure 13-7, although no faults or warnings are displayed in this screen shot. If a fault was detected, you can explore further by expanding any of the nodes marked with a + symbol.

Expanding Report Statistics lets you access computer information, files, and processed events and discover Payload GUIDs, as shown in Figure 13-8.

Tracking System Reliability, Stability, and Overall Performance

Windows 7 offers several tools to assess system reliability and stability. Reliability Monitor keeps a record of software changes and updates and lets you correlate system changes with crashes and reboots; the Action Center monitors your computer and reports problems with security, maintenance, and related services; and the Windows Experience Index measures the capability of your computer’s hardware and software configuration and expresses this as a base score.

Reliability Monitor

Reliability Monitor tracks a computer’s stability. Computers that have no reboots or failures are considered stable and can (eventually) achieve the maximum system stability index of 10. The more reboots and failures that occur on a computer, the lower the system stability becomes. The minimum index value is zero. The system stability index is not an exact measure of reliability because, sometimes, installing a new service pack or update requires a reboot, which initially lowers the index value but ultimately makes a system more reliable than it was before. However, Reliability Monitor provides valuable information about what system changes were made before a problem occurred. The easiest way to open Reliability Monitor is to type perfmon /rel in the Start menu Search box and click View Reliability History

You can use Reliability Monitor to diagnose intermittent problems. For example, if you install an application that causes the operating system to fail intermittently, it is difficult to correlate the failures with the application installation. Figure 13-9 shows how Reliability Monitor can be used to indicate that Windows and application failures and a video hardware error occurred on the Canberra computer on June 22 following an update of a video driver on June 21. If you obtained this result on a test network, you might consider obtaining more information before updating the driver on your production network.

The Stability Index

The stability index is based on data collected over the lifetime of a system. Each day in the stability chart is associated with a graph point showing its stability index rating. The stability index is a weighted measurement calculated from the number of failures seen over a rolling historical period. The index value is calculated over the preceding 28 days, although the results for considerably more days can be displayed.

Recent failures are weighted more heavily than past failures so that improvement over time is reflected in an ascending stability index when a reliability issue has been resolved. Days when the computer is turned off or is in a sleep or hibernate state are not included when calculating the stability index.

If there is not enough data to calculate a steady stability index, the line on the graph is dotted. For example, until Reliability Monitor has 28 days of data, the stability index is displayed as a dotted line, indicating that it has not yet established a valid baseline. When enough data has been recorded to generate a steady stability index, the line is solid. If there are any significant changes to the system time, an information icon appears on the graph for each day on which the system time was adjusted.

Reliability Monitor maintains up to a year of history for stability and reliability events. The Stability Chart displays a rolling graph organized by date.

The Stability Chart

The Stability Chart in Reliability Monitor displays a graph of the stability index on a day-to-day basis. Rows in the lower half of the chart track reliability events that either contribute to the stability measurement for the system or provide related information about software installation and removal. When one or more reliability events of each type are detected, an icon appears in the column for that date.

For software installs and uninstalls an information icon indicates a successful event and a warning icon indicates a failure. For all other reliability event types, an error icon indicates a failure. If more than 30 days of data are available, you can use the left and right arrow keys on the keyboard to find dates outside the visible range.

Using the Action Center

The Action Center, available under System And Security in Control Panel, monitors your computer and reports problems with security, maintenance, and related settings that help indicate your computer’s overall performance. It notifies users if there is a problem with the network firewall, antivirus, anti-spyware, or Windows Update on their computers running Windows 7. When the status of a monitored item changes (for example, your antivirus software becomes out of date), Action Center notifies you with a message in the notification area on the taskbar. The status of the item in Action Center changes color to reflect the severity of the message, and Action Center recommends an action. The Action Center is shown in Figure 13-10.

Changing Action Center Settings

If you prefer to keep track of an item yourself and you do not want to see notifications about its status, you can turn off notifications for the item in the Change Action Center Settings dialog box, shown in Figure 13-11.

When you clear the check box for an item on the Change Action Center Settings dialog box, you no longer receive any messages and do not see the item’s status in Action Center. Microsoft recommends checking the status of all items listed because that can help warn you about security issues.

The Windows Experience Index

From Action Center, you can archive messages and view the messages you have archived. You can click a link to change User Account Control (UAC) settings, as described in Chapter 9, “Authentication and Account Control.” However, the link in the Action Center that best measures the computer’s current performance level is to the Windows Experience Index in the Performance Information And Tools dialog box, as shown in Figure 13-12.

The Windows Experience Index measures the capability of your computer’s hardware and software configuration and expresses this as a base score. A higher base score generally means that your computer will perform better and faster especially when performing resource-intensive tasks.

Each hardware feature receives an individual subscore and the base score is determined by the lowest subscore. The base score is not an average of the combined subscores. However, the subscores can give you a view of how the features that are most important to you will perform and can help you decide which features to upgrade. Remember that if you are not interested in gaming and very high-quality three-dimensional graphics, you might purchase a computer that has very adequate processor, memory, and hard disk resources but has a lower-cost graphics hardware device. Such a computer is adequate for your purposes but does not have a high base score.

While bearing this in mind, you can use the base score as at least a rough guide when you are selecting software to run on your computer. For example, if your computer has a base score of 3.3, then you would be wise to purchase only software packages that require a base score of 3 or lower. Interactive games applications are a good example of the type of software package that require a high Windows Experience Index.

The scores range from 1.0 to 7.9. The Windows Experience Index is designed to accommodate advances in computer technology. As hardware speed and performance improve, higher score ranges will be enabled. The standards for each level of the index generally stay the same. However, in some cases, new tests might be developed that can result in lower scores. If you have replaced or upgraded hardware on your computer, you need to recalculate the Windows Experience Index.

Using System Tools to Investigate Processes and Services

As an IT professional, you probably have used Task Manager and accessed Resource Manager from that tool, although you may not be aware of the Resource Manager enhancements that Windows 7 provides. Process Explorer is a downloadable advanced system tool that offers many of the features of Task Manager and Resource Manager and you can use this tool to investigate resource usage, handles, and dynamic-link library (DLL) files.

Task Manager

If an application stops responding, Windows 7 tries to find the problem and fix it automatically. Alternatively, if the system seems to have crashed completely and Windows 7 has not resolved the problem, you can end the application by opening Task Manager and accessing the Applications tab.

The Performance tab in Task Manager provides details about how a computer is using system resources—for example, RAM and CPU. As shown in Figure 13-13, the Performance tab has four graphs. The first two show the percentage of CPU resource that the system is using, both at the moment and for the past few minutes. A high percentage usage over a significant period indicates that programs or processes require a lot of CPU resources. This can affect computer performance. If the percentage appears frozen at or near 100 percent, a program might not be responding. If the CPU Usage History graph is split, the computer either has multiple CPUs, a single dual-core CPU, or both.

If processor usage is consistently high—say 80 percent or higher for a significant period—you should consider installing a second processor or replacing the current processor even if the Windows Experience Index subscore does not identify the processor as a resource bottleneck. However, before you do so, it is worth capturing processor usage data by using Performance Monitor rather than relying on snapshots obtained by using Task Manager.

The next two graphs display how much RAM is being used, both at the moment and for the past few minutes. The percentage of memory being used is listed at the bottom of the Task Manager window. If memory use appears to be consistently high or slows your computer’s performance noticeably, try reducing the number of programs that are open at one time (or encourage users you support to close any applications they are not currently using). If the problem persists, you might need to install more RAM or implement ReadyBoost.

Three tables below the graphs list various details about memory and resource usage. In the Physical Memory (MB) table, Total is the amount of RAM installed on your computer, Cached refers to the amount of physical memory used recently for system resources, and Free is the amount of memory that is currently unused and available.

In the Kernel Memory (MB) table, Paged refers to the amount of virtual memory the kernel is using; Nonpaged is the amount of RAM memory used by the kernel.

The System table has five fields: Handles, Threads, Processes, Up Time, and Page File Handles are pointers that refer to system elements. They include (but are not limited to) files, registry keys, events, or directories. Lesson 2, “Configuring Performance Settings,” discusses page file configuration.

If you need more information about how memory and CPU resources are being used, click Resource Monitor. This displays the Resource Monitor, which is discussed later in this lesson. You require elevated privileges to access Resource Monitor.

You can determine how much memory an individual process uses by selecting the Task Manager Processes tab. As shown in Figure 13-14, the Memory (Private Working Set) column is selected by default. A private working set indicates the amount of memory a process is using that other processes cannot share. This information can be useful in identifying a “leaky” application—an application which, if left open, uses more and more memory resource and does not release memory resource that it is no longer using.

You can click View, click Select Columns, and then select a memory value to view other memory usage details on the Processes tab. You can use the Task Manager Processes tab to end a process, to end a process tree (which stops the process and all processes on which it depends), and to set process priority. To change the priority of a process, right-click the process and click Set Priority. You can choose Realtime, High, Above Normal, Normal, Below Normal, or Low.

The Task Manager Services tab shows which services are running and which are stopped. You can stop or start a service or go to a process that depends on that service. If you want more details about or more control over the services available on a computer, you can click Services to access the Services administrative tool. You require elevated privileges to use the Services tool.

The Task Manager Networking tab lets you view network usage. The Users tab tells you what users are connected to the computer and lets you disconnect a user. The Applications tab shows you the running applications and (as previously stated) enables you to close a crashed application.

Resource Monitor

Windows 7 offers an enhanced version of the Resource Monitor tool. Windows 7 Resource Monitor allows you to view information about hardware and software resource use in real time. You can filter the results according to the processes or services that you want to monitor. You can also use Resource Monitor to start, stop, suspend, and resume processes and services, and to troubleshoot unresponsive applications. You can start Resource Monitor from the Performance tab of Task Manager or by entering resmon in the Search box on the Start menu.

Resource Monitor always starts in the same location and with the same display options as the previous session. You can save your display state at any time and then open the configuration file to use the saved settings. However, filtering selections are not saved as part of the configuration settings.

Resource Monitor includes five tabs: Overview, CPU, Memory, Disk, and Network. The Overview tab, shown in Figure 13-15, displays basic system resource usage information. The other tabs display information about each specific resource. If you have filtered results on one tab, only resources used by the selected processes or services are displayed on the other tabs. Filtered results are denoted by an orange bar below the title bar of each table.

Each tab in Resource Monitor includes multiple tables that provide detailed information about the resource featured on that tab. The first table displayed is always the key table, and it contains a complete list of processes using the resource included on that tab. For example, the key table on the Overview tab contains a complete list of processes running on the system.

You can filter the detailed data in tables other than the key table by one or more processes or services. To filter, select the check box in the key table next to each process or service that you want to highlight. To stop filtering for a single process or service, clear its check box. To stop filtering altogether, clear the check box next to Image in the key table. If you have filtered results, the resources used by the selected processes or services are shown in the graphs as an orange line.

You can change the size of the graphs by clicking Views and selecting a different graph size. You can hide the chart pane by clicking the arrow at the top of the pane. To view definitions of data displayed in the tables, move the mouse pointer over the column title about which you want more information.

For example, to identify the network address that a process is connected to, click the Network tab and then click the title bar of TCP Connections to expand the table. Locate the process whose network connection you want to identify. You can then determine the Remote Address and Remote Port columns to see which network address and port the process is connected to. Figure 13-16 shows the System process is currently connected to IPv4 addresses 192.168.123.138 and 192.168.123.176, both on port 445.

On the Memory tab, shown in Figure 13-17, you can review the memory available to programs. Available memory is the combined total of standby memory and free memory. Free memory includes zero page memory.

Resource Monitor displays real-time information about all the processes running on your system. If you want to view only the data related to selected processes, you can filter the detailed results by selecting the check boxes next to the names of the processes you want to monitor in any of the tabs. Selected processes are moved to the top of the Image column. After you have selected at least one process for filtering, the Associated Handles and Associated Modules tables on the CPU tab contain data related to your selection. Tables that contain only filtered results include an orange information bar below the title bar of the table.

Resource Monitor allows you to end or suspend processes and start, stop, or restart services. You should use Resource Monitor to end a process only if you are unable to close the program by normal means. If an open program is associated with the process, it closes immediately and you lose any unsaved data. If you end a system process, this might result in system instability and data loss.

To end a process, right-click the executable name of the process that you want to end in the Image column of the key table of any Resource Monitor tab and click End Process. To end all processes dependent on the selected process, click End Process Tree. To resume a process, right-click the executable name of the program that you want to resume, and then click Resume Process.

To stop, start, or restart a service using Resource Monitor access the CPU tab and click the title bar of Services to expand the table. In Name, right-click the service that you want to change, and then click Stop Service, Start Service, or Restart Service.

Applications that are not responding might be waiting for other processes to finish, or for system resources to become available. Resource Monitor allows you to view a process wait chain, and to end processes that are preventing a program from working properly.

A process that is not responding appears as a red entry in the CPU table of the Overview tab and in the Processes table of the CPU tab. To view the process wait chain, right-click the executable name of the process you want to analyze in the Image column on the key table of any Resource Monitor tab and click Analyze Wait Chain.

If the process is running normally and is not waiting for any other processes, no wait chain information is displayed. If, on the other hand, the process is waiting for another process, a tree organized by dependency on other processes is displayed. If a wait chain tree is displayed, you can end one or more of the processes in the tree by selecting the check boxes next to the process names and clicking End Process.

Handles (as stated previously in this section) are pointers that refer to system elements. They include (but are not limited to) files, registry keys, events, or directories. Modules are helper files or programs. They include (but are not limited to) DLL files.

To use Resource Monitor to view all handles and modules associated with a process, in the Image column of the CPU tab, select the check box next to the name of the process for which you want to see associated handles and modules. Selected processes move to the top of the column. Click the title bars of the Associated Handles and Associated Modules tables to expand them. An orange bar below the title bar of each table shows the processes you have selected. Review the results in the detail tables.

If you need to identify the processes that use a handle, click the Search Handles box in the title bar of the Associated Handles table. Type the name of the handle you want to search for, and then click Search. For example, searching for c:\windows returns all handles with c:\windows as part of the handle name. The search string is not case sensitive, and wildcards are not supported.

Process Explorer

Process Explorer is not part of Windows 7, but you can download it at http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx, expand the archive into a folder (such as C:\ProcessExplorer), and start it by entering c:\processexplorer\procexp.exe in the Search box on the Start menu. Process Explorer tells you which program has a particular file or directory open and displays information about which handles and DLLs processes have opened or loaded. You can use either Process Explorer or Resource Monitor to determine which applications are responsible for activity on your hard disk, including which files and folders are being accessed.

When it opens, Process Explorer displays a list of the currently active processes, as shown in Figure 13-18. You can toggle the lower pane on and off and select to view handles or DLLs. In Handle mode, you can see the handles that the process selected in the top window has opened. The Process Explorer search capability discovers which processes have particular handles opened or DLLs loaded.

Process Explorer includes a toolbar and mini-graphs for CPU, memory, and I/O history. The mini-graphs show history of system activity, and resting the mouse over a point on a graph displays the associated time and the process information. For example, the tooltip for the mini-CPU graph shows the process that was the largest consumer of CPU. Clicking on any of the mini-graphs opens the System Information screen, as shown in Figure 13-19. Difference highlighting helps you see what items change between refreshes. Items—including processes, DLLs, and handles—that exit or are closed show in red and new items show in green.

System Information graphs display the CPU usage history of the system, committed virtual memory usage, and I/O throughput history. Red in the CPU usage graph indicates CPU usage in kernel mode, whereas green is the sum of kernel-mode and user-mode execution. When Committed Virtual Memory reaches the system Commit Limit, applications and the system become unstable. The Commit Limit is the sum of most of the physical memory and the sizes of any paging files. In the I/O graph, the blue line indicates total I/O traffic, which is the sum of all process I/O reads and writes between refreshes, and the pink line shows write traffic.

You can reorder columns in Process Explorer by dragging them to their new position. To select which columns of data you want visible in each of the views and the status bar, click Select Columns on the View menu or right-click a column header and click Select Columns. You can save a column configuration and its associated settings by clicking Save Column Set on the View menu.

On the Options menu, you can choose to have Process Explorer open instead of Task Manager whenever Task Manager is started, or you can ensure that the Processor Explorer window is always on top and always visible. You can specify that only one instance of Process Explorer is open at any one time.

Logging and Forwarding Events and Event Subscriptions

As an experienced IT professional, you almost certainly have used Event Viewer and event logs, and this section discusses these tools only briefly before going on to event forwarding and event subscriptions, with which you might be less familiar.

Details about event subscriptions can be found in the Subscriptions tab of the event log Properties dialog box. The General tab of this dialog box gives details such as current log size, maximum log size, and the action to take when maximum log size is reached. The easiest way to start Event Viewer is to enter eventvwr in the Start menu Search box.

Event Viewer displays event logs, which are files that record significant events on a computer—for example, when a user logs on or when a program encounters an error. You will find the details in event logs helpful when troubleshooting problems. The events recorded fall into the following categories:

• Critical

• Error

• Warning

• Information

The security log contains two more event categories, Audit Success and Audit Failure, that are used for auditing purposes.

Event Viewer tracks information in several different logs. Windows logs include the following:

• Application Stores program events. Events are classified as error, warning, or information, depending on the severity of the event. The critical error classification is not used in the Application log.

• Security Stores security-related audit events that can be successful or failed. For example, the security log will record an audit success if a user trying to log on to the computer was successful.

• System Stores system events that are logged by Windows 7 and system services. System events are classified as critical, error, warning, or information.

• Forwarded Events Stores events that are forwarded by other computers.

Custom Views

You can create custom views by clicking Create Custom View on the Event Viewer Action menu, specifying the source logs or events and filtering by level, time logged, event ID, task category, keywords, user, or computer. You are unlikely to specify all these criteria, but this facility enables you to refine your search to where you think a problem might be occurring rather than searching through a very large number of events. Figure 13-20 shows a custom view specification.

A filter is not persistent. If you set up a filter to view specific information in an event log, you need to configure the same filter again the next time you want to see the same information. Custom views are persistent, which means you can access them whenever you open Event Viewer. You can save a filter as a custom view so it becomes persistent and you do not need to configure it for each use. The Action menu also allows you to import custom views from another source and to connect to another computer. You need to have an administrator-level account on that computer.

Applications and Services Logs

Event Viewer provides a number of Applications and Services logs. These include logs for programs that run on the computer and detailed logs that store information about specific Windows services. For example, these logs can include the following:

• Hardware Events

• Internet Explorer

• Key Management Service

• Media Center

• A large number of Microsoft Windows logs

• Microsoft Office Diagnosis

• Microsoft Office Sessions

• Windows PowerShell

Attaching Tasks to Events

Sometimes you want to be notified by e-mail if a particular event occurs, or you might want a specified program to start, such as one that activates a pager. Typically, you might want an event in the Security log—such as a failed logon, or a successful logon by a user who should not be able to log on to a particular computer—to trigger this action. To implement this functionality, you attach a task to the event so that you receive a notification.

To do this, open Event Viewer and navigate to the log that contains the event about which you want to be notified. Typically, this would be the Security log in Windows logs, but you can implement this in other Windows logs or in Applications and Services logs if you want to. You click the event and click Action, click the event and go to the Actions pane, or right-click the event. You then select Attach Task To This Event.

This opens the Create A Basic Task Wizard. You name and describe the task and then click Next. The next screen summarizes the event, and you can check that you have chosen the correct event before clicking Next. The next screen gives you the option of starting a program, sending an e-mail, or specifying a message. When you make your choice and click Next, you configure the task. For example, if you want to send an e-mail, you would specify source address, destination address, subject, task, attachment (if required), and Simple Mail Transfer Protocol (SMTP) server. You click Next and then click Finish.

Using Network Diagnostics with Event Viewer

When you run Windows Network Diagnostics, as described in Chapter 6, any problem found, along with solution or solutions, is displayed in the Network Diagnostics dialog box. If, however, more detailed information about the problem and potential solutions is available, Windows 7 saves this in one or more event logs. You can use the information in the event logs to analyze connectivity problems or help interpret the conclusions.

You can filter for network diagnostics and Transmission Control Protocol/Internet Protocol (TCP/IP) events by specifying (for example) Tcpip and Tcpiv6 event sources and capturing events from these sources in a custom view.

If Network Diagnostics identifies a problem with a wireless network, it saves information in the event logs as either helper class events or informational events. Helper class events provide a summary of the diagnostics results and repeat information displayed in the Network Diagnostics dialog box. They can also provide additional information for troubleshooting, such as details about the connection that was diagnosed, diagnostics results, and the capabilities of the wireless network and the adapter being diagnosed.

Informational events can include information about the connection that was diagnosed, the wireless network settings on the computer and the network, visible networks and routers or access points in range at the time of diagnosis, the computer’s preferred wireless network list, connection history, and connection statistics—for example, packet statistics and roaming history. They also summarize connection attempts, list their status, and tell you what phases of the connection failed or did not start.

Event Forwarding and Event Subscriptions

Event forwarding enables you to transfer events that match specific criteria to an administrative (or collector) computer. This enables you to manage events centrally. A single event log on the collector computer holds important events from computers anywhere in your organization. You do not need to connect to the local event logs on individual computers.

Event forwarding uses Hypertext Transfer Protocol (HTTP) or, if you need to provide an additional encryption and authentication layer for greater security, Hypertext Transfer Protocol Secure (HTTPS) to send events from a source computer to a collector computer. Because event forwarding uses the same protocols that you use to browse Web sites, it works through most firewalls and proxy servers. Event forwarding traffic is encrypted whether it uses HTTP or HTTPS.

To use event forwarding, you must configure both the source and collector computers. On both computers, start the Windows Remote Management (WinRM) and the Windows Event Collector services. On the source computer, configure a Windows Firewall exception for the HTTP protocol. You might also need to create a Windows Firewall exception on the collector computer, depending on the delivery optimization technique you choose.

You can configure collector-initiated or source-initiated subscriptions. In collector-initiated subscriptions, the collector computer retrieves events from the computer that generated the event. You would use a collector-initiated subscription when you have a limited number of source computers and these are already identified. In this type of subscription, you configure each computer manually.

Subscriptions

In a source-initiated subscription (sometimes termed a source computer–initiated subscription), the computer on which an event is generated (the source computer) sends the event to the collector computer. You would use a source-initiated subscription when you have a large number of source computers and you configure these computers through Group Policy.

In a source-initiated subscription, you can add additional source computers after the subscription is established and you do not need to know immediately which computers in your network are to be source computers. In collector-initiated subscriptions, the collector computer retrieves events from one or more source computers. Collector-initiated subscriptions are typically used in small networks. In source-initiated subscriptions, the source computers forward events to the collector computer. Enterprise networks use source-initiated subscriptions.

A collector computer needs to run Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista, or Windows Server 2003 R2. A source computer needs to run Windows XP with SP2, Windows Server 2003 with SP1 or SP2, Windows Server 2003 R2, Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2.

In a collector-initiated subscription, you first manually configure one or more source computers and the collector computer. When the source computers and the collector computer are configured, you can create an event subscription to determine what events should be transferred.

Configuring a Collector-Initiated Subscription

To configure a computer running Windows 7 so that a collector computer can retrieve events from it, open an elevated command prompt and use the Winrm (Windows Remote Management) command-line tool to configure the WinRM service by entering the following command:

winrm quickconfig

You can abbreviate this to winrm qc. Windows displays a message similar to that shown in Figure 13-21. The changes that must be made depend on how the operating system is configured. You enter Y to make these changes. Note that if any of your network connection types is set to public, you must set it to private for this command to work.

Next, add the computer account of the collector computer to the local Event Log Readers group or the local Administrators group on the source computer. You can do this by using the Local Users And Groups MMC snap-in or by entering a net command in an elevated command prompt.

You can add the collector computer account to the local Administrators group or the Event Log Readers group on the source computer. If you do not require the collector computer to retrieve events in Security Event logs, it is considered best practice to use the Event Log Readers group. However, if you do need to transfer Security Event log information, you must use the local Administrators group.

By default, the Local Users And Groups MMC snap-in does not permit you to add computer accounts. You must click the Object Types button in the Select Users, Computers, Or Groups dialog box and select the Computers check box. You can then add computer accounts.

To configure a computer running Windows 7 to collect events, open an elevated command prompt and enter the following command to configure the Windows Event Collector service:

wecutil qc

When you have configured the source and collector computers, you next configure the event subscription by specifying what events the collector computer needs to retrieve and the event sources (specifically the source computers) from which it must retrieve them.

Configuring a Source-Initiated Subscription

Source-initiated subscriptions are typically used in enterprise networks in which you can use Group Policy to configure a number of source computers. To configure a source-initiated subscription, you configure the collector computer manually and then use Group Policy to configure the source computers. When the collector computer and source computers are configured, you can create an event subscription to determine which events are forwarded.

Source-initiated subscriptions (sometimes termed source computer–initiated subscriptions) enable you to configure a subscription on a collector computer without defining the event source computers. You can then set up multiple remote event source computers by using Group Policy to forward events to the event collector computer. By contrast, in the collector-initiated subscription model, you must define all the event sources in the event subscription.

To configure the collector computer in a source-initiated subscription, you need to use command-line commands entered in an elevated command prompt. If the collector and source computers are in the same domain, you must create an event subscription Extensible Markup Language (XML) file (called, for example, Subscription.xml) on the collector computer, open an elevated command prompt on that computer, and configure WinRM by entering the following command:

winrm qc -q

Configure the Event Collector service on the same computer by entering the following command:

wecutil qc -q

Create a source-initiated subscription on the collector computer by entering the following command:

wecutil cs configuration.xml

To configure a source computer to use a source-initiated subscription, you first configure WinRM on that computer by entering the following command:

winrm qc -q

You then use Group Policy to add the address of the event collector computer to the SubscriptionManager setting. From an elevated command prompt, start Group Policy by entering the following command:

%SYSTEMROOT%\System32\gpedit.msc

In Local Group Policy Editor, under Computer Configuration, expand Administrative Templates, expand Windows Components, and select Event Forwarding. Note that you do not have this option if you have already configured your computer as a collector computer.

Right-click the SubscriptionManager setting and select Properties. Enable the SubscriptionManager setting and then click Show. Add at least one setting that specifies the event collector computer. The SubscriptionManager Properties window contains an Explain tab that describes the syntax for the setting.

After the SubscriptionManager setting has been added, run the following command to ensure that the policy is applied:

gpupdate /force

Creating an Event Subscription

To receive events transferred from a source computer to a collector computer, you must create one or more event subscriptions. Before setting up a subscription, configure both the collector and source computers as previously described. To create a subscription on a collector computer, perform the following procedure:

1. In Event Viewer, right-click Subscriptions and select Create Subscription.

2. If prompted, click Yes to configure the Windows Event Collector Service to start automatically.

3. In the Subscription Properties dialog box shown in Figure 13-22, type a name for the subscription. You can also type a description if you want.

4. Select and configure the type of subscription you want to create—Collector Initiated or Source Computer Initiated. Specify Computers or Computer Groups.

   

   FIGURE 13-22 The Subscription Properties dialog box

5. Click the Select Events button in the Subscription Properties dialog box to open the Query Filter dialog box. Use this dialog box to define the criteria that forwarded events must match. Then click OK.

6. If you want, you can click the Advanced button in the Subscription Properties dialog box to open the Advanced Subscription Settings dialog box. You can configure three types of subscriptions: Normal, Minimize Bandwidth, and Minimize Latency.

   NOTE: SPECIFYING THE ACCOUNT THE SUBSCRIPTION USES

   Use the Advanced Subscription Settings dialog box to configure the account the subscription uses. Whether you use the default Machine Account setting or specify a user, you must ensure that the account is a member of the source computer’s Event Log Readers group (or, if you are collecting Security Event log information, the local Administrators group).

7. Click OK in the Subscription Properties dialog box to create the subscription.

PRACTICE: Using Performance Monitor to Generate a Snapshot of Disk Performance Data

In this practice, you take a snapshot of performance data on your Canberra computer. You then view this data in graph, histogram, and report format. You will probably obtain different results from the Canberra computer in your practice network. Before you carry out this practice, connect a second storage device, such as a second hard disk or USB flash memory, to your computer.

EXERCISE 1 Add and Monitor Disk Counters

In this exercise, you add counters that enable you to monitor the performance of your system (C:) hard disk volume. If you have additional volumes on a single hard disk or additional hard disks on your system, you can extend the exercise to monitor them as well.

A bottleneck affecting disk usage and speed has a significant impact on a computer’s overall performance. To add counters that monitor disk performance, perform the following procedure:

1. Log on to the Canberra computer using the Kim_Akers account.

2. Open Performance Monitor.

3. In Performance Monitor, click the Add button (the green + symbol).

4. In the Add Counters dialog box, ensure that Local Computer is selected in the Select Counters From Computer drop-down list.

5. Select the Show Description check box.

6. Select any counters currently listed in the Added Counters pane and click Remove.

7. In the Counter Selection pane, expand LogicalDisk and select % Free Space. In the Instances Of Dialog Box pane, select C:, as shown in Figure 13-23. The LogicalDisk\% Free Space counter measures the percentage of free space on the selected logical disk drive. If this falls below 15 percent, you risk running out of free space for the operating system to store critical files.

8. Click Add to add this counter.

9. In the Counter Selection pane, expand PhysicalDisk and select % Idle Time. In the Instances Of Dialog Box pane, select C:, as shown in Figure 13-24. This counter measures the percentage of time the disk was idle during the sample interval. If this value falls below 20 percent, the disk system is said to be saturated, and you should consider installing a faster disk system.

10. Click Add to add this counter.

    

    FIGURE 13-23 Selecting the Logical Disk\% Free Space Counter for the C: drive

    

    FIGURE 13-24 Selecting the Physical Disk\% Idle Time Counter for the C: drive

11. Use the same technique to add the C: instance of the PhysicalDisk\Avg. Disk Sec/Read counter. This counter measures the average time in seconds to read data from the disk. If the value is larger than 25 milliseconds (ms), the disk system is experiencing latency (delay) when reading from the disk. In this case, consider installing a faster disk system.

12. Use the same technique to add the C: instance of the PhysicalDisk\Avg. Disk Sec/Write counter. This counter measures the average time in seconds to write data to the disk. If the value is larger than 25 ms, the disk system is experiencing latency (delay) when writing to the disk. In this case, consider installing a faster disk system.

    MORE INFO: PHYSICALDISK\% DISK TIME COUNTER

    Because the value in the PhysicalDisk\% Disk Time counter can exceed 100 percent, many administrators prefer to use PhysicalDisk\% Idle Time, PhysicalDisk\Avg. Disk Sec/Read, and PhysicalDisk\Avg. Disk Sec/Write counters to obtain a more accurate indication of hard disk usage. For more information about the PhysicalDisk\% Disk Time counter, see http://support.microsoft.com/kb/310067.

13. Use the same technique to add the C: instance of the PhysicalDisk\Avg. Disk Queue Length counter. This counter indicates how many I/O operations are waiting for the hard drive to become available. If the value of this counter is larger than twice the number of spindles in a disk array the physical disk itself might be the bottleneck.

14. Use the same technique to add the Memory\Cache Bytes counter. This counter indicates the amount of memory being used for the file system cache. There might be a disk bottleneck if this value is greater than 300 MB.

15. Check that the Add Counters dialog box shows the same counters and instances as Figure 13-25. Click OK.

    NOTE: COUNTER INCLUDED BY DEFAULT

    The Processor\%Processor Time counter is included by default and you do not need to add it. It does not appear in the list in Figure 13-25, but you can see it in the line graph, histogram, and report views shown in Exercise 2.

16. Do not close Performance Monitor. Go directly to Exercise 2.

EXERCISE 2 Set Performance Monitor Properties and Monitor Disk Performance

In this exercise, you set the sample interval and duration, read data from, and write data to the disk volume you are monitoring. You view the results in line, histogram, and report formats. Perform this exercise immediately after Exercise 1.

1. In the Performance Monitor Action pane, click More Actions and then click Properties.

2. On the General tab of the Performance Monitor Properties dialog box, in the Graph Elements section, change the Sample Every value to 5 and the Duration value to 300. Click OK.

   

   FIGURE 13-25 Counters and instances added

3. Copy a file or folder (about 100 MB in size) from your C: drive to your attached storage device.

4. Copy a file or folder (about 100 MB in size) from your attached storage device to your C: drive.

5. View the line graph in Performance Monitor, as shown in Figure 13-26. This might not easily provide the information you are looking for.

   

   FIGURE 13-26 Performance Monitor line graph view

6. In the Change Graph drop-down list, select Histogram Bar. View the histogram in Performance Monitor, as shown in Figure 13-27.

   

   FIGURE 13-27 Performance Monitor histogram view

7. In the Change Graph drop-down list, select Report. View the Report in Performance Monitor, as shown in Figure 13-28.

   

   FIGURE 13-28 Performance Monitor report view

8. Analyze the counter values in light of the information given about each counter in Exercise 1. The results shown in the screen shots indicate that adequate free space remains on the C: volume and no problem occurred when copying a fairly large file or folder. Cache memory usage was significant, but this is normal and acceptable in this operation. The results you obtain are likely to be different.

Lesson Summary

• You can use Performance Monitor to view performance data in real time or performance counter values captured in DCSs. A system diagnostics report gives you details about the status of hardware resources, system response times, and processes on the local computer, along with system information and configuration data.

• Reliability Monitor tracks a computer’s stability. It can also tell you when events that could affect stability (such as the installation of a software application) occurred and whether any restarts were required after these events. Action Center monitors your computer and reports problems with security, maintenance, and related settings. The Windows Experience Index indicates the suitability of your current computer hardware for running resource-intensive applications.

• Task Manager gives you a snapshot of resource usage and lets you manage applications, service, and protocols. Resource Monitor allows you to view information about hardware and software resource use in real time. Process Explorer performs the same functions as Task Manager but gives you additional controls and more detailed system information.

• Event Viewer lets you access and filter event logs and create custom views. You can attach tasks to events and configure event forwarding and event subscriptions so that a central computer can store events generated on one or more source computers.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1, “Monitoring Systems.” The questions are also available on the companion DVD if you prefer to review them in electronic form.

1. You have upgraded the hardware on a computer so that it can run an application that requires a large amount of processor resource. You use the Windows Experience Index tool to generate a new base score. The subscores for each feature are as follows:

   ▪ Processor	5.1
   ▪ Physical Memory (RAM)	3.3
   ▪ Graphics	3.6
   ▪ Gaming Graphics	2.3
   ▪ Primary Hard Disk	5.3

   Based on these figures, what is the Windows Experience Index base score?

   1. 2.3

   2. 3.9

   3. 5.1

   4. 4.4

2. A client running Windows 7 is experiencing intermittent performance problems. You suspect the problems might be caused by an application that you recently installed but you have forgotten exactly when you did this. Which tool or feature would you use to determine when the application was installed?

   1. Reliability Monitor

   2. Action Center

   3. DCSs

   4. Performance Monitor

3. Which of the following types of information are stored in Reliability Monitor? (Choose all that apply; each correct answer presents part of a complete solution.)

   1. An application failed and needs to be restarted.

   2. A Windows error occurred and the system was rebooted.

   3. An application was uninstalled.

   4. A service was stopped.

   5. A device driver failed.

4. You are configuring a client running Windows 7 named Canberra to retrieve events from a computer running Windows 7 named Aberdeen. Both computers are on the same workgroup. Which of the following commands would you run on the collector computer to configure the Event Collector service?

   1. wecutil qc

   2. winrm qc

   3. winrm qc -q

   4. %SYSTEMROOT%\System32\gpedit.msc

5. You want to use Performance Monitor to display performance data captured in a DCS. You open the tool and access the Performance Monitor Properties dialog box. On which tab can you choose whether to display current activity in real time or log files that you have saved using a DCS?

   1. General

   2. Source

   3. Data

   4. Graph

   5. Appearance