Monitoring and Performance in Windows 7

  • 10/21/2009

Lesson 2: Configuring Performance Settings

This lesson looks at configurations that can affect the performance of your computer and the tools that Windows 7 provides to display and reconfigure performance settings and resolve performance issues. If you do not like the tools provided, you can use Windows Management Instrumentation (WMI) scripts to write your own.

Many factors affect performance, such as the appearance of your screen or your browser window, the services and processes that are running on your computer, and the priorities and processor affinity that you assign to various processes. Performance is affected by your cache and page file settings, by the services and applications that start automatically or run even when not required, and by what processes are running and the amount of resources each consumes.

Obtaining System Information Using WMI

WMI lets you access system management information and is designed to work across networks. It provides a consistent model of the managed environment and a WMI class for each manageable resource. A WMI class is a description of the properties of a managed resource and the actions that WMI can perform to manage that resource. A managed resource is any object (computer hardware, computer software, service, or user account) that can be managed by using WMI.

To use WMI, you write scripts that use the WMI scripting library. This library lets you work with WMI classes that correspond to managed resources. You can use this approach to manage resources such as disk drives, event logs, and installed software.

You can use Windows Script Host (WSH), Microsoft Visual Basic Scripting Edition (VBScript), Microsoft JScript, or scripting languages such as ActivePerl to write WMI scripts that automate the management of aspects of your network. Typically, Windows Management Instrumentation (WMI) files have .vbs extensions.

You can write scripts to manage event logs, file systems, printers, processes, registry settings, scheduled tasks, security, services, shared folders, and so on. You can create WMI-based scripts to manage network services, such as the Domain Name System (DNS), and to manage client-side network settings, such as whether a computer is configured with static Internet Protocol version 4 (IPv4) address settings or whether it obtains these settings from a Dynamic Host Configuration Protocol (DHCP) server. WMI scripts can monitor and respond to entries in an event log, modifications to the file system or the registry, and other real-time operating system changes.

A WMI script works with WMI classes, which are representations of physical features or services on a computer. Each class can contain one or more objects or instances and the objects have attributes. You can display the value of each attribute or pass this on to another routine for analysis.

Typically, you type WMI scripts using a text editor such as Microsoft Notepad and save them as .vbs files in a directory (for example, C:\WMI_Scripts) that you have created for this purpose. Be wary of using word processing software such as Microsoft Office Word for this process. Word processing software often uses different styles of quotation marks for different fonts (to cite one example), and this can cause syntax errors. You can run WMI scripts from an elevated command prompt by using the Cscript utility, and you can create batch files that run scripts at scheduled intervals or when triggered by an event.

For example, the following WMI script accesses instances of the Win32_Battery class (there is only one) and prints out the value of the EstimatedChargeRemaining attribute. The code looks more complex than it actually is. You can substitute other WMI classes and find the values of their attributes by substituting the class and the attributes in this routine.

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colSWbemObjectSet = objSWbemServices.InstancesOf("Win32_Battery")
For Each objSWbemObject In colSWbemObjectSet
Wscript.Echo "Remaining Charge: " & objSWbemObject.EstimatedChargeRemaining & "

Figure 13-29 shows the output from this script file, saved as Battery.vbs in the C:\WMI_Scripts folder. Note that if you run this script on a desktop computer, it should complete without error, but it does not give an output.

FIGURE 13-29

FIGURE 13-29 Estimated battery charge remaining read by a WMI script

You can substitute other WIM classes and find the values of their attributes by substituting the class and the attributes in the previous script. For example, FreePhysicalMemory is an attribute of objects in the Win32_OperatingSystem class (typically, there would be only one object in this class). The following WMI script outputs the free physical memory on a computer in kilobytes:

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colSWbemObjectSet = objSWbemServices.InstancesOf ("Win32_OperatingSystem")
For Each objSWbemObject In colSWbemObjectSet
Wscript.Echo "Free physical memory: " & objSWbemObject.FreePhysicalMemory & " KB."

Figure 13-30 shows the output from this script file, saved as Memory.vbs in the C:\WMI_Scripts folder.

FIGURE 13-30

FIGURE 13-30 Free physical memory read by a WMI script

You can write scripts that manage WMI classes that contain a number of objects. For example, the Win32_Services class contains all the services that run on a computer. The following script lists all these services:

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colSWbemObjectSet = objSWbemServices.InstancesOf ("Win32_Service")
For Each objSWbemObject In colSWbemObjectSet
Wscript.Echo "Display Name: " & objSWbemObject.DisplayName & vbCrLf

You can expand the previous script to determine the state (started or stopped) and the start mode for each service as follows:

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colSWbemObjectSet = objSWbemServices.InstancesOf ("Win32_Service")
For Each objSWbemObject In colSWbemObjectSet
Wscript.Echo "Display Name: " & objSWbemObject.DisplayName & vbCrLf
& " State: " & objSWbemObject.State & vbCrLf
& " Start Mode: " & objSWbemObject.StartMode

Figure 13-31 shows some of the output from the preceding script.

FIGURE 13-31

FIGURE 13-31 Determining the state and start mode of each service

You use WMI to administer managed resources. These include the computer system, Active Directory Domain Services (AD DS), disks, peripheral devices, event logs, files, folders, file systems, networking features, operating system subsystems, performance counters, printers, processes, registry settings, security, services, shared folders, users and groups, Windows Installer, device drivers, Simple Network Management Protocol (SNMP) management information base (MIB) data, and so on.

When you write scripts that interact with WMI-managed resources, the term instance is used to refer to the managed resource in the script. For example, the following script returns the drive letter for each logical disk drive on your computer:

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer)
Set colSWbemObjectSet = objSWbemServices.InstancesOf ("Win32_LogicalDisk")
For Each objSWbemObject In colSWbemObjectSet
Wscript.Echo objSWbemObject.DeviceID

You can prompt for input in a WMI script and store this in a variable. For example, the following (partial) script prompts the user for a password and stores it in the string variable strPassword, which could, for example, be used with the Connect.Server function to connect to a server on the network:

strComputer = "."
Wscript.StdOut.Write "Please enter the administrator password: "
strPassword = Wscript.StdIn.ReadLine

The next script is a more complete routine that you can adapt for your own purposes. It uses the inputbox function to prompt for a computer name and then uses the MsgBox function to display information about that computer’s printers, processes, and processor. The code is not significantly more complex than the previous examples—you are simply displaying the values of object attributes—but using the built-in functions gives the script a professional feel:

computer = inputbox ("What computer do you want to check? (Press Enter if this
set WMI = GetObject("WinMgmts://" & computer)
If computer="" then computer = "this computer"

List = ""
Set objs = WMI.InstancesOf("Win32_Printer")
For each obj in objs
        List = List & obj.Caption & ", "
List=Left(List, Len(List)-2)
MsgBox List,64,"Printers on " & computer

List = ""
Set objs = WMI.InstancesOf("Win32_Process")
For each obj in objs
List = List & obj.Description & ", "
List=Left(List, Len(List)-2)
MsgBox List,64,"Processes on " & computer

List = ""
set objs = WMI.InstancesOf("Win32_Processor")
For each obj in objs
        List = List & obj.Description & ", "
List=Left(List, Len(List)-2)
MsgBox List,64,"Processor on " & computer

Note that if you specify the Aberdeen computer when you run this script on Canberra, you need to ensure the \\Canberra\Kim_Akers account has administrator rights on Aberdeen. Only a local administrator can run a WMI script on a computer, although if you have the appropriate rights, running WMI scripts on remote computers is straightforward. The script is possibly more relevant to an enterprise environment where Domain and Enterprise Admins have rights on every machine. Also, ensure that the firewalls are not blocking the information. Figure 13-32 shows the list of processes on Canberra displayed in a message box.

FIGURE 13-32

FIGURE 13-32 Processes on this computer (Canberra)

WMI consists of three primary features: the Common Information Model Object Manager (CIMOM), also known as the WMI service; the Common Information Model (CIM) repository, also known as the WMI repository; and WMI providers. Together, these features provide an infrastructure through which configuration and management data is defined, exposed, accessed, and retrieved.

WMI Providers

WMI providers, such as Win32 and the built-in Event Log provider, act as intermediaries between the CIMOM and a managed resource. Providers request information from and send instructions to WMI-managed resources on behalf of applications and scripts. Providers expose the managed resource to the WMI infrastructure using a standards-based access model, communicate with their respective managed resources by using the native application programming interfaces (APIs) of the managed resource, and communicate with the CIMOM by using WMI programming interfaces. Windows 7 introduces additional providers for Windows PowerShell and virtualization.

To create an application that manages Windows subsystems, you typically use the Win32 APIs. Without WMI, you would need to call these APIs yourself. Unfortunately, Win32 APIs cannot be called from a script, and you would need to use a programming language such as C++ or Microsoft Visual Basic. Writing C++ or Virtual Basic code is typically much more difficult than writing a script.

When you use WMI providers, you do not have to worry about calling the Win32 APIs because WMI does that for you. Also, you do not have to worry about differences between various APIs because you use a standard set of WMI commands and WMI translates those commands into commands that the APIs understand.

WMI providers are generally implemented as DLLs in the SystemRoot\System32\Wbem directory. The built-in providers, also known as standard providers, supply data and management functions from well-known operating system sources, such as the Win32 subsystem, event logs, performance counters, and the registry.


The CIMOM handles the interaction between consumers and providers. It acts as the WMI information broker and all WMI requests and data flow through the CIMOM. When you write a WMI script, the script is directed to the CIMOM. However, the CIMOM does not directly handle your request. For example, suppose that you request a list of all the services installed on a computer. The CIMOM does not actually retrieve the list of services for you. Instead, it locates the appropriate WMI provider and asks the provider to retrieve the list. When the list has been retrieved, the CIMOM returns the information to you.

The WMI Service

The WMI service (Winmgmt.exe) implements the CIMOM on Windows 7. You can start and stop it from an elevated command prompt like any other service (for example, net stop winmgmt). Be aware, however, that if you stop the WMI service, this also stops the Security Center and IP Helper services. If the WMI service is stopped and you run a script or an application that requires WMI, the service automatically restarts.

The CIM Repository

Management applications, administrative tools, and scripts make requests to the CIMOM to retrieve data, subscribe to events, or to perform some other management-related task. The CIMOM retrieves the provider and class information necessary to service consumer requests from the CIM repository. The CIMOM uses the information obtained from the CIM repository to hand off consumer requests to the appropriate WMI provider.

The CIM repository holds the schema, also called the object repository or class store, which defines all data exposed by WMI. The schema is similar to the AD DS schema and is built on the concept of classes. A class is a blueprint of a WMI-manageable resource. However, unlike AD DS classes, CIM classes typically represent dynamic resources. Instances of resources are not stored in the CIM repository but are dynamically retrieved by a provider based on a consumer request. This means that the term repository is somewhat misleading. Although the CIM is a repository and is capable of storing static data, its primary role is storing the blueprints for managed resources.

The operational state for most WMI-managed resources changes frequently (for example, all the events in all event logs on a computer) and is read on demand to ensure that the most up-to-date information is retrieved. This can sometimes cause queries to run slowly if a lot of information needs to be retrieved, but this is preferable to using the computer resource that would be required to maintain an up-to-date repository of frequently changing data.

CIM Classes

CIM classes are organized hierarchically and child classes inherit from parent classes. The Distributed Management Task Force (DMTF) maintains the set of core and common base classes from which system and application software developers derive and create system-specific or application-specific extension classes. Classes are grouped into namespaces, logical groups representing a specific area of management. CIM classes include both properties and methods. Properties describe the configuration and state of a WMI-managed resource; methods are executable functions that perform actions on the WMI-managed resource associated with the corresponding class.

WMI Consumers

A WMI consumer can be a script, an enterprise management application, a Web-based application, or some other administrative tool that accesses and controls management information available through the WMI infrastructure. For example, the script listed earlier that discovered and listed the logical disk drives on your computer is a WMI consumer. An application can be both a WMI provider and a WMI consumer (for example, Microsoft Application Center and Microsoft Operations Manager).

WMI Scripting Library

The WMI scripting library provides the set of automation objects through which scripting languages such as VBScript access the WMI infrastructure. The WMI scripting library is implemented in a single automation feature named Wbemdisp.dll that is stored in the SystemRoot\System32\Wbem directory. The Automation objects in the WMI scripting library provide a consistent and uniform scripting model for WMI-managed resources.

Variable Naming Convention

WMI scripts typically follow a consistent convention when naming variables. Each variable is named according to the automation object name in the WMI scripting library and is prefaced with obj (to indicate an object reference) or col (to indicate a collection object reference). For example, a variable that references an object called SWbemServices is named objSWbemServices; a variable that references an object called SWbemObject is named objSWbemObject; and a variable that references an object called SWbemObjectSet is named colSWbemObjectSet.

This convention is not mandatory, but it helps you understand the type of WMI object that you are working with in a WMI script. Following a consistent naming convention makes your code easier to read and to maintain, especially if you are not the person doing the maintenance.

The WMI Administrative Tools

You can download the WMI Administrative Tools at, although it is probably easier to go to and search for "WMI Administrative Tools.”

The WMI Administrative Tools include the following:

  • WMI Common Information Model (CIM) Studio Enables you to view and edit classes, properties, qualifiers, and instances in a CIM repository; run selected methods; and generate and compile Managed Object Format (MOF) files.

  • WMI Object Browser Enables you to view objects, edit property values and qualifiers, and run methods.

  • WMI Event Registration Tool Enables you to configure permanent event consumers, and to create or view instances of event consumers, filters, bindings, and timer system classes.

  • WMI Event Viewer Displays events for all instances of registered consumers.

WMI CIM Studio

WMI CIM Studio is designed primarily for use by developers, particularly those who are writing providers. It assists developers to create WMI classes in the CIM repository. WMI CIM Studio uses a Web interface to display information and relies on a collection of ActiveX features installed on the system when it runs for the first time. The tool enables developers to:

  • Connect to a chosen system and browse the CIM repository in any namespace available

  • Search for classes by their name, by their descriptions, or by property names

  • Review the properties, methods, and associations related to a given class

  • See the instances available for a given class of the examined system

  • Perform queries in the WMI Query Language (WQL)

  • Generate an MOF file based on selected classes

  • Compile an MOF file to load it in the CIM repository

WMI CIM Studio also provides wizards for generating and compiling MOF files and for generating framework provider code. When you start WMI CIM Studio from the WMI Tools menu, you first need to click the Information bar and permit ActiveX tools to run. You then select a namespace in the Connect To Namespace dialog box or use the default namespace Root\CIMV2. Figure 13-33 shows the WMI CIM Studio tool.

FIGURE 13-33

FIGURE 13-33 WMI CIM Studio

WMI CIM Studio contains a Class Explorer and a Class Viewer. When you select classes in the Class Explorer, their details appear in the Class Viewer. WMI CIM Studio wizards generate and compile MOF files.

You can use WMI CIM Studio to view the class inheritance tree for any namespace in your system or on a network by specifying the namespace path in the Classes In box, by clicking the Classes In arrow and selecting the namespace in the history list, or by browsing to a namespace.

You can search for a specific class in the namespace by clicking Search For Class in Class Explorer. In the Search For Class dialog box, select one or more check boxes under Search Options to select the type of search to perform: by class name, class description, or property name. Enter the full or partial text value to use for this search, and click Go. The results of the search appear in the Search Results pane. Click the class to view and then click OK. This displays the chosen class in Class Explorer.

You can display the properties of a class by selecting the class in Class Explorer and then clicking the Properties tab in Class Viewer. Symbols (for example, a key represents a key property) let you identify the following information about a class:

  • Key properties

  • System properties

  • Inherited properties

  • Writable properties

  • The values contained in property arrays

WMI CIM Studio lets you display instances of an existing class by accessing a table of all instances of the class and viewing the associations of an instance. You can also define and display custom views of instances. You can add and delete class definitions in Class Explorer, and you can modify class definitions by adding, editing, or deleting properties, qualifiers, and methods. You can add and delete instances of a class.

You can execute regular methods on instances in WMI CIM Studio if the instances are implemented and not disabled. Click the class in Class Viewer and click Instances. Right-click the instance you want to work with and select Go To Object. Click the Methods tab in Class Viewer, right-click the method, and select Execute Method. The Parameters column shows the parameters defined for the method and their default values. Before executing the method, you can configure the parameters by editing their values.

The WQL Query Builder lets you write, save, and execute WQL queries. To use this feature, click the WQL Query symbol in Class Viewer. The MOF Generator Wizard in Class Explorer enables you to generate an MOF file for class definitions and instances from an existing repository. Typically, you run this wizard when you have created a new class or when you want to export existing repository information to another computer. You can compile the MOF file into a repository—importing any class definitions or instances from the MOF file into the current repository—by using the MOF Compiler Wizard. This wizard checks the syntax of an MOF file and creates binary MOF files.

WMI Object Browser

Unlike WMI CIM Studio, the WMI Object Browser is designed for use by system managers. This tool enables you to display the object tree for a CIM repository, view object details, edit object information, and run selected methods. You start WMI Object Browser from the WMI Tools menu and you need to click the Information bar and enable ActiveX controls. You can select a namespace or accept the default.

WMI Object Browser contains an Object Explorer and an Object Viewer. When you select objects in the Object Explorer, their details appear in the Object Viewer. Figure 13-34 shows the WMI Object Browser.

FIGURE 13-34

FIGURE 13-34 The WMI Object Browser

The left pane of the WMI Object Browser contains the Object Explorer, which shows the object tree for the current namespace (by default, the Root\CIMV2 namespace on the local computer). You can select a different local namespace or a namespace on a remote computer. The Object Explorer shows a hierarchy of the instances that are found in the selected namespace and any instance in the namespace can be selected as the root of the tree.

The tree shows regular objects and grouping nodes. Grouping nodes are not objects themselves but instead are used to organize objects. The symbols next to the names indicate the type of object or node. Resting the mouse over an object in the tree displays the object’s path, which identifies the object in the namespace.

The right pane of WMI Object Browser shows the Object Viewer. You can select the Properties, Methods, or Associations tab for an object. Figure 13-35 displays the Associations tab. The Object Viewer displays the title of the current view above the tabs. For a single object, the title is the object path of the instance currently displayed. For a multiple-object table, the title describes the group of objects currently displayed.

FIGURE 13-35

FIGURE 13-35 WMI Object Browser Associations tab

WMI Object Browser enables you to do the following:

  • Display the object tree contained in a specified CIM repository.

  • Reroot the object tree.

  • Display properties, methods, and associations for a selected object.

  • Display instances of grouped objects.

  • Display property and object qualifiers.

  • Execute methods on a selected object.

  • Edit property values and object and property qualifiers.

You can view the object tree for any namespace in your system or on a network by entering the namespace path in the Objects In box or selecting it in the history list. You can also browse for a namespace or right-click the object whose namespace you want to display and click Go To Namespace. The root of the namespace can be changed temporarily in a session or permanently through the schema.

When you select a grouping node in the Object Explorer, the Object Viewer displays an instance table showing all objects in the namespace that belong to the selected group and the common properties of those objects. You can also display the details for any individual instance from the instance table by right-clicking the instance and clicking Go To Object. This displays the object’s Properties tab. From the Properties tab, you can double-click a property to display property qualifiers. When the Properties tab is selected, you can right-click anywhere in the Object Viewer grid and select Object Qualifiers. Selecting the Properties tab also enables you to edit the Value field of properties that are not read-only. To return to the instance table, reselect the grouping node.

From the Methods tab in the Object Viewer, you can right-click a method and select Execute Method. The Method Parameters window displays the parameters used when executing the selected method. The Parameters column shows the parameters defined for this method and their default values. You can configure parameters by editing the values in this table before you execute the method.

WMI Event Registration

The WMI Event Registration tool is designed primarily for developers. It provides a graphical interface for what you can also accomplish programmatically. You need to install Windows Management and create a repository of classes on the target computer before you can use the WMI Event Registration Tool. You can do this by compiling an MOF file in the system directory where the WMI Core is installed. To compile the MOF file, type the following at the command-line prompt:

mofcomp <filename>.mof

However, by default, the WMI Event Registration tool uses the Eviewer.mof file found in the WMI Tools directory. This file is compiled automatically when Windows Management first starts, so the WMI Event Viewer consumer is registered as a permanent event consumer by default and you can open the WMI Event Registration tool and investigate its features.

You start the WMI Event Registration Tool from the WMI Tools menu and need to allow blocked ActiveX content on the Information bar and specify a root, as with the other tools. From the drop-down menu near the top-left of the WMI Event Registration Tool, you can select Filters, Consumers, or Timers. Double-clicking an item in the left pane opens the View Class Properties dialog box, as shown in Figure 13-36. This lets you access the Properties, Methods, and Associations tabs.

FIGURE 13-36

FIGURE 13-36 The WMI Event Registration tool

The WMI Event Registration Tool enables you to create, display, and modify the event consumers, filters, and timers for a given namespace and any bindings between filters and consumers. You can use the tool to do the following:

  • View properties of the defined consumer, filter, and timer system classes and instances

  • Add or delete event consumer instances

  • Add or delete event filter instances

  • Add or delete event timer instances

  • Edit instance properties

  • Register consumers for events by binding consumer and filters

WMI Event Viewer

WMI Event Viewer is a permanent event consumer that lets you sort and view the details of events generated in WMI by Windows Management or by event providers. Event objects are forwarded to any consumers registered for these types of events. You can register WMI Event Viewer for any event filters and view incoming events that match the filters.

You can open WMI Event Viewer from the WMI Tools menu. However, as a permanent event consumer, it is started automatically by WMI whenever an event occurs that needs to be forwarded to it. To register WMI Event Viewer for different types of events, you use the WMI Event Registration Tool. This tool can be started either independently from the WMI Tools menu or from WMI Event Viewer tool by clicking the Register For Events control, as shown in Figure 13-37.

FIGURE 13-37

FIGURE 13-37 The Register For Events control in WMI Event Viewer

WMI Event Viewer enables you to carry out the following tasks:

  • View Windows Management–generated events and event information, such as the event’s date and time, class, point of origin, and description

  • View event instance properties

  • Start the WMI Event Registration Tool

  • Clear the display

The Eviewer.mof file, installed in the WMI Tools directory along with WMI Event Viewer, contains the classes and instances required to declare and register the WMI Event Viewer Consumer Provider with the WMI event subsystem. This MOF file is compiled automatically when the Windows Management Service is first started, so that the WMI Event Viewer consumer is registered as a permanent event consumer by default.

All permanent event consumers, including WMI Event Viewer, require specific distributed component object model (DCOM) permissions to start automatically on a remote computer for a registered event. To set the DCOM launch permissions for WMI Event Viewer so you can monitor events on a remote computer, carry out the following procedure:

  1. Run the Dcomcnfg.exe program from an elevated command prompt on the remote computer.

  2. On the Applications tab of the Distributed COM Configuration Properties dialog box, select WMI Event Viewer, as shown in Figure 13-38, and click Properties.

  3. On the Security tab of the WMI Event Viewer Properties dialog box, select Customize and click Edit.

  4. Click Add.

    FIGURE 13-38

    FIGURE 13-38 Selecting WMI Event Viewer in Component Services

  5. In the Add Users And Groups dialog box, type Everyone.

  6. Click Add. Ensure that all permissions check boxes are selected and then click OK. Note that WMI Event Viewer enables users and event consumers to access event information. It is not a configuration tool. Therefore, there are no security implications to setting these permissions.

Using the System Configuration Tool

You open System Configuration (MSConfig) by entering msconfig in the Start menu Search box, the Run box, or the command prompt. The principal purpose of this tool is to troubleshoot the Windows startup process. MSConfig modifies which programs run at startup, edits configuration files, and enables you to control Windows services and access Windows Performance and Troubleshooting tools.

You can use the System Configuration tool to configure Windows 7 to perform a diagnostic startup that loads a minimum set of drivers, programs, and services. Figure 13-39 shows the General tab of the System Configuration tool, on which you can specify Normal Setup or Diagnostic Setup. You can also customize a Selective Setup and control whether to load System Services and Startup Items. You can select the System Services and Startup Items to load and start on the Services and Startup tabs, respectively, in the System Configuration tool.

It is a good idea to look carefully at the list of programs on the Startup tab. Some software packages—for example, software that detects viruses and other malware—should run at startup and continue to run unless you have a reason to disable them. Other software packages, particularly third-party software, install themselves so that they run at startup whether they need to or not. The more unnecessary programs you have running, the slower your computer goes.

FIGURE 13-39

FIGURE 13-39 The General tab of System Configuration

Services are more difficult to manage than packages because of service dependencies. You might see that a service you have never heard of before runs at startup and decide to change its startup type, only to find that half a dozen essential services all depend on the one that is no longer running. The System Configuration tool lets you experiment with a computer on your test network before making changes to production computers.

The Boot tab of the System Configuration tool lets you specify the source of your boot files and, if desired, make that source the default. For example, in the Boot tab shown in Figure 13-40, the computer is dual-boot, with operating systems on both the C: and D: volumes. It can also boot into Windows 7 Ultimate from a virtual hard drive (VHD). On the Boot tab, you can specify the timeout, which is how long the boot system waits for instructions before booting from its default source.

You can specify Safe Boot and the type of Safe Boot to use (Minimal, Alternate Shell, Active Directory Repair, or Network). You can specify a No-Graphical User Interface (GUI) boot, or, if you are having problems with a video driver, specify a boot that uses the Base Video (lowest-resolution and color-depth) driver. You can require a Boot Log and Operating System (OS) Information. You can use reconfigured boot settings only once or make then permanent.

Clicking Advanced on the Boot tab lets you specify a Debug Port and Baud Rate for remote debugging and the Number Of Processors and Maximum Memory available to the boot process.

FIGURE 13-40

FIGURE 13-40 The Boot tab of System Configuration

On the Startup tab, you can disable automatic startup for an application by clearing the check box beside the item. You can disable automatic startup for all items by clicking Disable All. This does not prevent the software from running—it merely stops it from starting automatically when the computer boots. The Services tab works in much the same way, in that you can disable or enable automatic startup of a single service or of all services. You can also determine what third-party services are running by selecting the Hide All Microsoft Services check box.

The Tools tab performs a very useful function. Not only are all the available tools listed, but you can enable any tool from this tab. This is often easier than trying to remember or deduce the tool’s place in the Control Panel hierarchy, whether the tool is a Microsoft Management Console (MMC) snap-in, or what file you need to access from the command prompt to start the tool. The tab also lists the file and file path for the application that runs each tool.

Using the Services Console

The Services console, an MMC snap-in, lists the same services as does the Services tab of the System Configuration tool, but it provides more information about each service and more service management options. For example, the Services console tells you the service startup type (not just whether or not it is running) and the logon details.

You can access the Services console by entering services.msc in the Search box on the Start menu, in the Run box, or in a command-prompt window.

When you right-click a service in the Services console, you can start it, stop it, restart it, pause it, and resume it. You can access the Properties dialog box for the service and select the General, Log On, Recovery, and Dependencies tabs.

The General tab lets you specify the startup type. This can be Automatic, Automatic (Delayed Start) Manual, or Disabled. You should consider the following when specifying the startup type:

  • If a service is configured as Automatic, it starts at boot time. Some services also automatically stop when no longer required. However, if you find that you do not need a service, configure its start type as Manual or Disabled.

  • If a service is configured as Automatic (Delayed Start), it starts just after boot time. Configuring this setting can result in a faster boot, but if you need the service to be up and running when you boot, configure it as Automatic. If, on the other hand, you do not need a service, configure its start type as Manual or Disabled.

  • Manual mode allows Windows 7 to start a service when needed. In practice, some services do not start up when required in Manual mode. If you find that you need a service, configure it as Automatic.

  • If you configure a service as Disabled, it does not start even if needed. Unless you have a very good reason for disabling a service, configure its startup type as Manual instead.

The General tab, shown in Figure 13-41, also tells you whether a service is currently started, lets you start or stop it (as appropriate), and specifies the start parameters.

FIGURE 13-41

FIGURE 13-41 The General tab of the Service Properties dialog box

The Logon tab typically specifies that the service logs on with a Local System account. You can specify another account if you need to do so, typically a local Administrator account on the computer on which the service is running.

The Recovery tab specifies the actions that you take if a service fails. You can specify actions for the first failure, the second failure, and subsequent failures.

If you click Run A Program, you need to type the full path for the program that you want to run. Programs or scripts that you specify should not require user input. If you click Restart The Computer, you need to specify how long the computer waits before restarting. You can also create a message to send automatically to remote users before the computer restarts.

If you select Enable Actions For Stops With Errors, you can trigger the recovery actions when service stops with an error.

The Dependencies tab lists the services, system drivers, and load order groups that a service depends on. If a service is not running when you expect it to be, you might have disabled another service that it depends on.

Configuring Performance Options

The Performance Options tool is a Windows 7 Performance And Analysis tool that you can access by clicking Advanced Tools on the Performance Information And Tools dialog box and then clicking Adjust The Appearance And Performance Of Windows.

The Visual Effects tab of this tool is shown in Figure 13-42. You can let Windows decide what is best for your computer, adjust for best appearance, adjust for best performance, or select Custom and specify the appearance settings for your computer manually. If you select Custom, you can choose which visual effects to turn off, one by one. There are 18 visual effects that you can control, such as whether shadows are displayed under screen icons or under the mouse pointer.

FIGURE 13-42

FIGURE 13-42 The Visual Effects tab of the Performance Options tool

On the Advanced tab, you can adjust for the best performance of programs or background services. If your computer is running applications (as a typical workstation does), you would specify Adjust For Best Performance Of Programs. On a server that is functioning as a Web server (for example), you would specify Adjust For Best Performance Of Background Services.

On the same tab, you can adjust page file settings. A page file is an area of disk space that can be used as paged virtual memory when running memory-intensive operations (such as print spooling) or if the system RAM is not adequate to cope with the demands of applications that are running. You can allow Windows 7 to manage memory paging (the default), as shown in Figure 13-43, or you can manually specify virtual memory allocation. If RAM is a serious bottleneck on your computer or you are running some extremely memory-intensive applications, you might want to specify memory-paging settings manually. Otherwise, you should accept the defaults.

FIGURE 13-43

FIGURE 13-43 Virtual memory default settings

Data Execution Prevention (DEP) helps prevent damage to your computer from viruses and other security threats. Malware attacks your operating system by attempting to execute code from the sections of a computer’s memory reserved for Windows 7 and other authorized programs. DEP helps to protect your computer by monitoring programs and ensuring that they use computer memory safely. If DEP detects a program on your computer that attempts to use memory incorrectly, it closes the program and notifies you.

The Data Execution Prevention tab on the Performance Options tool lets you choose whether to turn on DEP for essential Windows programs and services only (the default) or to turn on DEP for all programs and services except those that you specify. For example, in a test environment where application developers are testing applications that could inadvertently cause security problems on the computer, you would choose to enforce DEP for all programs and services and possibly specify only those in which you have complete confidence as exceptions.

Configuring Hard Disk Write Caching

Write caching uses high-speed volatile RAM to collect write commands sent to data storage devices and cache them until the slower storage media (either physical disks or flash memory) can deal with them. You can manage write caching on the Policies tab of the device’s Properties dialog box that you access from Device Manager.

For USB flash memory devices (for example), you can specify the Quick Removal option, as shown in Figure 13-44. This option is typically the best choice for devices that you are likely to remove from the system frequently, such as USB flash drives, memory cards, or other externally attached storage devices.

FIGURE 13-44

FIGURE 13-44 The Quick Removal option for removable storage

When you select the Quick Removal option, Windows 7 manages commands sent to the device using write-through caching. In write-through caching, the device operates on write commands as if there were no cache. The cache may still provide a small performance benefit, but the emphasis is on treating the data as safely as possible. The main benefit is that you can remove the storage device from the system quickly without risking data loss. For example, if a flash drive were to be accidentally pulled out of its port, the data being written to it is much less likely to be lost if the Quick Removal option is specified.

You should select the Better Performance option for devices that you intend to remove from the system infrequently. If you choose this option and the device is disconnected from the system before all the data is written to it (for example, if you remove a USB flash drive), you could lose data.

If you select Enable Write Caching On This Device (the default) on a hard disk, this improves system performance but a power outage or system failure might result in data loss. By default, Windows 7 employs cache flushing and periodically instructs the storage device to transfer all data waiting in the cache to the storage media. If you select Turn Off Windows Write Cache Flushing On The Device, these periodic data transfer commands are inhibited. Not all hard disk devices support this feature. Figure 13-45 shows the Policies tab for a hard disk.

FIGURE 13-45

FIGURE 13-45 The Policies tab for a hard disk

If high data transfer performance is your main objective, you should select the Better Performance option for removable storage and select Enable Write Caching On The Device for hard disks. These are the defaults if the system hardware and storage device support these features. However, if your system or power source has known issues with sustaining power, you should not use these settings. In general, it is best to use the Safe Removal applet before you remove any external storage device from your system.

Troubleshooting Performance Problems with Event Viewer

As an IT professional, you sometimes are required to to view details of software and hardware problems affecting Windows performance to troubleshoot these problems. You can view event logs in Event Viewer, as described in Lesson 1 of this chapter, and filter by event type. The events you are looking for are mostly found in the Operational container under Diagnostic-Performance, which you access by expanding Microsoft and then Windows in the Event Viewer tree pane.

However, there is a more straightforward method of accessing this information. Click the Performance Information And Tools item of Control Panel. Click Advanced Tools in this dialog box, and then click View Performance Details In Event Log. This opens Event Viewer and displays the events in the Operational container, as shown in Figure 13-46. Examining a critical error shows that, for example, the Canberra computer had a problem during the boot process.

FIGURE 13-46

FIGURE 13-46 Viewing performance diagnostic events in the Operational container

Using Task Manager to Configure Processes

Lesson 1 described how you use Task Manager to close failed applications and manage services. You can also use the tool to configure the processes that implement services. If a process is particularly significant and should be allocated more resources, you can set a higher priority for that process. If a process is using too many resources, or if the speed at which a process works is unimportant, you can assign it a lower priority and hence free resources for other processes.

If your computer has more than one processor, you can configure the affinity of your processes to use a particular processor. By default, processes that install on a multiprocessor computer are set to use whatever processor is available. If an additional processor is added retrospectively to a computer, however, processes might require configuration so they can use that processor. For example, if Task Manager or Performance Monitor counters show that one processor on a dual-processor computer is heavily used and the other is not, you should change the affinity so resource-intensive processes use both processors. You also have the option of changing the affinity of some processes so that they use only the second processor.

To determine what process or processes are used by a service, right-click the service in the Services tab of Task Manager and click Go To Process. This selects the Processes tab and highlights the relevant process. To change the priority of a process, right-click the process and click Set Priority. As shown in Figure 13-47, you can choose one of six priority levels. Do not select Realtime, though—this could seriously affect the operation of other processes on your computer.

FIGURE 13-47

FIGURE 13-47 Setting process priority in Task Manager

To determine the affinity of a process and change it if necessary, right-click the process and click Set Affinity. You cannot change the affinity of certain system processes, and you cannot change affinity if the computer has only one processor. Otherwise, the Processor Affinity dialog box appears, as shown in Figure 13-48, and you can configure process affinity.

FIGURE 13-48

FIGURE 13-48 The Processor Affinity dialog box

Configuring Networking Performance

Networking performance on an enterprise network depends upon a large number of factors, such as the type of Ethernet or wireless connections used, the speed of switches and routers, the number of devices on a network, and so on. However, in a small network, users tend to define networking performance by the speed of connection to other computers on the network (if they are transferring files) and the performance of their Internet connections.

Configuring Internet Options can have a significant effect on networking performance and on computer performance in general. As an IT professional, you are aware that temporary Internet files can take up a considerable amount of disk space and should be deleted on a regular basis. You know that users with excessively large mailboxes can experience lengthy logon times, especially when they are downloading their profiles from a central server in the enterprise environment. These however, are matters that involve user training rather than configuration.

The Internet Options dialog box offers configuration options that can affect networking performance. You can access this dialog box from Network And Internet on Control Panel or from your browser. On the General tab, you can delete temporary Internet files and other downloaded information such as Web form information. However, in the context of networking performance settings, the most significant tab in the dialog box is the Advanced tab, shown in Figure 13-49.

FIGURE 13-49

FIGURE 13-49 The Internet Options Advanced tab

The Advanced tab enables you to configure Accessibility, Browsing, International, Multimedia, Printing, and Security settings. Some of these have little or no impact on performance, whereas others can affect performance considerably. Typically, for example, Accessibility features would not be considered a performance issue, but if large font or caret browsing is set for a user that does not need them, then the perceived performance for that user is reduced.

The Browsing settings can impinge on performance. For example, if you do not disable script debugging and display notifications about script errors, the user’s browsing experience slows down. These settings are useful if you are debugging a new Web site that runs scripts but are inappropriate for the standard user. Even the simplest setting, such as choosing to always underline links, can slow browsing on a slow or heavily used site.

If you are accessing sites that provide multimedia files for either streaming or downloading you can choose (for example) whether to play sounds and animations, automatically resize images, or use smart image dithering. In general effects that enhance the user’s multimedia experience often also slow down site access and browsing.

The more secure a site is, the slower it tends to be because of additional security checks. Typically, this is something you and your users need to accept. You should not reduce security merely to shorten access times. Nevertheless, it is probably not necessary to warn users whenever they browse from an HTTPS secure site to an insecure HTTP site.

Windows Performance Analysis Tools

The Windows Performance Toolkit (WPT) contains performance analysis tools that are new to the Windows SDK for Windows 7, Windows Server 2008, and Microsoft .NET Framework 3.5. WPT can be used by a range of IT Professionals including system administrators, network administrators, and application developers. The tools are designed for measuring and analyzing system and application performance on Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7.

Windows performance analysis tools analyze a wide range of performance problems including application start times, boot issues, deferred procedure calls (DPCs), interrupt service requests (ISRs), system responsiveness issues, application resource usage, and interrupt storms.

These tools ship with the Microsoft Windows SDK for Windows Server 2008 and .NET Framework 3.5, which you can download at (although it is probably easier to go to the Microsoft Download Center at and search for it). This SDK provides documentation, samples, header files, libraries, and tools to develop applications for Windows XP; Windows Server 2003; Windows Vista; Windows Server 2008; Windows Server 2008 R2; Windows 7; and .NET Framework versions 2.0, 3.0, and 3.5. You download and install the SDK in the practice later in this lesson.

The WPT is released as an MSI installer (one per architecture) and contains the Performance Analyzer tool suite, consisting of the following tools:

  • The Trace Capture, Processing, and Command-Line Analysis tool (Xperf.exe) This tool captures traces, processes them for use on a computer, and supports command-line (action-based) trace analysis.

  • The Visual Trace Analysis tool (Xperfview.exe) This tool presents trace content in the form of interactive graphs and summary tables.

  • The On/Off Transition Trace Capture tool (Xbootmgr.exe) This tool automates on/off state transitions and captures traces during these transitions.

The Trace Capture, Processing, and Command-Line Analysis Tool

Xperf.exe is a command-line tool that provides the following features:

  • Event Tracing for Windows (ETW) trace control

  • ETW trace merging and enhancements by including other events

  • Executable image and symbol identification

  • Trace dump capabilities

  • Support for post-processing

This tool manages the end-to-end operations that are needed to generate a trace file for analysis. You use Xperf.exe in the practice later in this lesson.

Xperf.exe enables events in the operating system by using groups and flags. These flags enable and disable events from providers in various parts of the operating system. For example, flags can direct the kernel, services, and applications to one or more trace files by using log sessions with custom configurations. You can then merge all traces into a single aggregate trace file that is referred to as a merged trace file.

When Xperf generates this file, it collects additional information from the operating system and adds it to the aggregate trace. You can process the merged trace file on any supported operating system without reference to the system that generated the trace. You can then use Performance Analyzer (Xperfview.exe) to analyze the merged file, you can post-process the merged file into a text file, or you can use actions to do other types of processing. Actions produce summarized outputs that are specific to an area of interest, such as boot, shutdown, suspend, and resume operations, or to a type of system event, such as sampled profile, context switches, DPCs and ISRs, disk I/O, registry accesses, file accesses, or system configuration.

The Visual Trace Analysis Tool

The Visual Trace Analysis tool, or Performance Analyzer, is used to view the information from a single trace file generated by Xperf.exe. You can use the following command to start Performance Analyzer:

xperf file.etl

Xperf.exe forwards the file name to Performance Analyzer, which then opens and displays the data in the file. You can also run Performance Analyzer directly by entering xperfview in the Search box on the Start menu, the Run command box, or the command prompt. A Performance Analyzer trace is displayed in the practice later in this lesson.

The On/Off Transition Trace Capture Tool

Xbootmgr.exe collects information during the on/off transition phases of Windows 7. You can capture data during any of the following phases:

  • Boot

  • Shutdown

  • Sleep and resume

  • Hibernate and resume

After issuing a trace command, the test computer resets within 5 seconds.

The On/Off Transition Trace Capture tool can automate a reboot cycle during which the computer running Windows 7 is shut down and rebooted multiple times. You can analyze the captured data by using the Xperf.exe and Xperfview.exe tools.

PRACTICE: Downloading and Using the Windows Performance Analysis Tools

In this practice, you download and install the Microsoft Windows SDK for Windows Server 2008 and .NET Framework 3.5, then install the WPT and use the Xperf.exe tool to generate a trace.

EXERCISE 1 Downloading and Installing the SDK

In this exercise, you download and install the SDK. The exercise gives a direct link to the SDK download file, but you might find it easier to browse to this link. Perform the following steps:

  1. Log on to the Canberra computer with the Kim_Akers account.

  2. Insert a blank recordable DVD-ROM into your optical drive. Close the Autoplay box.

  3. Open your browser and access

  4. Click Download.

  5. In the File Download box, click Open. The download takes some time.

  6. If prompted, click Allow to close the Internet Explorer Security dialog box.

  7. In the Windows Disc Image Burner, select Verify The Disc After Burning, and then click Burn.

  8. When you have burned and verified the DVD-ROM, it ejects automatically. Close the Windows Disc Image Burner. Insert the DVD-ROM into the optical drive.

  9. In the Autoplay box, click Run Setup.exe.

  10. If prompted, click Yes to clear the User Account Control (UAC) dialog box.

  11. The Windows SDK Setup Wizard opens. Click Next.

  12. Read the License terms, select I Agree, and then click Next.

  13. Click Next to accept the Folder defaults.

  14. Click Next to accept the Installation Options defaults.

  15. Click Next to start the Installation.

  16. Click Finish when installation completes. Read the SDK release notes.

EXERCISE 2 Installing the Windows Performance Toolkit

In this exercise, you install the 32-bit version of the Windows Performance Toolkit. If your computer is running a 64-bit operating system, choose Xperf_64.msi instead of Xperf_86.msi. You need to have installed the SDK in Exercise 1 before you attempt this exercise.

  1. If necessary, log on to the Canberra computer with the Kim_Akers account.

  2. Open My Computer and navigate to C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin.

  3. Double-click the Xperf_86.msi file. The Microsoft Windows Performance Toolkit Setup Wizard starts. Click Next.

  4. Accept the License Agreement. Click Next.

  5. Click Typical and then click Install.

  6. If prompted, click Yes to clear the UAC dialog box.

  7. Click Finish when setup completes.

EXERCISE 3 Using Xperf.exe to Generate Traces

In this exercise, you use the Trace Capture, Processing, and Command-Line Analysis Tool (Xperf.exe) to generate a kernel trace and a user trace. You combine the traces and process the results into a text file. You need to have completed Exercises 1 and 2 before you attempt this exercise.

  1. If necessary, log on to the Canberra computer with the Kim_Akers account.

  2. Open an elevated command prompt.

  3. Start the kernel trace. The kernel session does not need a specified name because its name is unique. The groups Base and Network are enabled on the kernel provider. The trace is collected in a file called Kernel.etl. To accomplish this, enter the following command:

    xperf -on Base+Network -f kernel.etl
  4. Start a user trace named UserTrace and enable the provider’s Microsoft-Windows-Firewall to it. This trace is collected in a file called User.etl. To accomplish this task, enter the following command:

    xperf -start UserTrace -on Microsoft-Windows-Firewall -f user.etl
  5. Stop the UserTrace session so the user-mode provider no longer produces events to this session. To accomplish this, enter the following command:

    xperf -stop UserTrace
  6. Stop the kernel session. To accomplish this, enter the following command:

    xperf -stop
  7. Merge the user and kernel traces into a single trace called Single.etl. To accomplish this, enter the following command:

    xperf -merge user.etl kernel.etl single.etl
  8. Process the binary trace file Single.etl into a text file called C:\Mytrace.txt. To accomplish this, enter the following command:

    xperf -i single.etl -o c:\mytrace.txt -a dumper

Figure 13-50 shows the Xperf commands used in this procedure. Note that there was a problem loading a DLL associated with the On/Off Transition Trace Capture Tool, but this tool was not used so the procedure completed satisfactorily. Figure 13-51 shows a portion of the text file that was created. Figure 13-52 shows the combined trace (Single.eti) displayed in the Performance Analyzer.

FIGURE 13-50

FIGURE 13-50 Xperf commands used to capture and merge traces

FIGURE 13-51

FIGURE 13-51 Trace information captured in a text file

Lesson Summary

  • You can write WMI scripts to customize the system information you retrieve from a computer and generate your own performance-measuring tools.

  • The System Configuration Tool modifies which programs run at startup, edits configuration files, and enables you to control Windows services and access Windows Performance and Troubleshooting tools. The Services console lets you manage and configure services and gives you more options than either the Services tab of Task Manager or the Services tab of the System Configuration tool.

    FIGURE 13-52

    FIGURE 13-52 Captured trace displayed in Performance Analyzer

  • The Performance Options tool lets you configure visual effects and specify whether the system is adjusted for best performance of applications or background services. It lets you configure page file (virtual memory) settings and DEP.

  • The Windows Performance Analysis tools, downloaded as part of the Windows Server 2008 SDK, analyze a wide range of performance problems including application start times, boot issues, DPCs, ISRs, system responsiveness issues, application resource usage, and interrupt storms.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2, “Configuring Performance Settings.” The questions are also available on the companion DVD if you prefer to review them in electronic form.

  1. What WMI tool do you use to view Windows Management–generated events and event information, such as the event’s date and time, class, point of origin, and description?

    1. WMI CIM Studio

    2. WMI Object Browser

    3. WMI Event Registration Tool

    4. WMI Event Viewer

  2. Which Windows Performance Analysis tool captures user and kernel traces and can merge them to form a combined trace?

    1. Performance Analyzer

    2. On/Off Transition Trace Capture

    3. Trace Capture, Processing, and Command-Line Analysis

    4. Visual Trace Analysis

  3. Which tool provided by Windows 7 helps you determine which applications are responsible for activity on your hard disk, including which files and folders are being accessed?

    1. Process Explorer

    2. Resource Monitor

    3. Task Manager

    4. Windows Experience Index

  4. A number of processor-intensive applications have been performing slowly on your computer. As a result, you add a second processor. This does not solve your problem, however, and you examine processor usage with Task Manager and Performance Monitor. You deduce that several key processes are using only the original processor. How do you ensure that these processes use whatever processor is available?

    1. Configure Process Affinity on the Processes tab of Task Manager.

    2. Configure Process Priority on the Processes tab of Task Manager.

    3. Select Adjust For Best Performance Of Programs on the Advanced tab of the Performance Options tool.

    4. Reconfigure Virtual Memory settings on the Advanced tab of the Performance Options tool.

  5. Your computer is configured to dual-boot between Windows Vista Professional and Windows 7 Enterprise. Currently, it boots into Windows Vista by default. You want to specify Windows 7 as the startup default operating system and configure how Windows 7 reacts in the event of a system failure. You boot the computer into Windows 7. What tool do you use to accomplish your goal?

    1. The Services console

    2. Performance Options

    3. Task Manager

    4. System Configuration