Windows
NT Performance Monitoring
Anil Desai
E-Mail: akdesai@austin.rr.com
Web Site: home.austin.rr.com/akdesai
8108 Osborne Dr.
Austin, TX 78729
Phone: (512) 250-2983
Fax: (707) 313-2724
Table of Contents:
Introduction
Performance Monitoring
Methodology2
The Windows NT Performance Monitor
The Chart View6
The Alert View7
The Log View8
The Report View9
The Windows NT Task Manager
Task Manager Settings10
The Applications Tab11
The Processes Tab12
The Performance Tab14
The Windows NT Network Monitor
Network Monitor Example:
Isolating ping Problems16
The Windows 95/98 System Monitor
The Bottom Line
For More Information
Note:
This paper has been adapted from material contained in "Windows NT Network Management: Total
Cost of Ownership", also
written by Anil Desai (New Riders Publishing, 1999).
Introduction
An old adage says, "if you can’t measure it, you can’t manage it." Even if you can measure something, how can you tell if your changes are making a difference if you don't have baseline information? It’s important to monitor a server or workstation’s performance to maximize your investment in these tools. If a user complains that her computer is too slow, you often need more information to fix the problem. For example, if the problem is loading Web pages on a computer using an analog modem, it's likely that the modem is limiting performance. However, if the computer is an older model, certain operations may wait for the CPU to finish processing. In this case, a complete system upgrade may be the best solution.
The usefulness of monitoring performance goes far beyond handling user expectations. Network and systems administrators can use information obtained by analyzing the operations of existing hardware, software, and networking devices to predict upgrades, justify the cost of replacing and upgrading devices, and assist in troubleshooting. This leads to an ultimate reduction in the total cost of ownership and is a vital part of managing any IT environment.
Performance monitoring helps answer important questions about your current environment. For example, you may want to know what specifically uses the most resources in your environment. If you determine that it is loading Web pages, then upgrading the RAM or the CPU speed of client machines may not help much. Here the performance bottleneck is likely the remote access device. With modern desktop computers and analog modems, the latter is often the point of slowest data throughput. The details of performance monitoring - which tools to use and what information to track - is largely based on the specifics of your environment. For example, suppose the user complaining of a slow computer were connected to a network with Internet access. The administrator might want to check basic network utilization statistics; for example, perhaps the new marketing database application is causing a lot of collisions on this subnet, thereby reducing overall performance. However, if this machine were a home computer using a modem to dial up an Internet service provider, the best place to check would be the modem itself. In this paper, we’ll look at some good ways to monitor performance levels. Windows NT includes tools that are designed to profile hardware, software, and network metrics.
Performance Monitoring Methodology
In order to monitor performance, it is important to first have a baseline of information. This baseline should be compiled over time and should be used for measuring any significant changes to your system. A nagging question that may have occurred to you is "By measuring performance, am I not actually decreasing it?" The definitive answer is "sometimes." In some cases, performance monitoring may present a significant drain on resources. For example, the Windows NT Performance Monitor application itself uses CPU time, memory, and display resources. On modern systems, however, this drain is negligible. In this paper, I’ll note where significant performance reductions may occur. Whether you are running the Performance Monitor application or not, Windows NT itself automatically keeps track of performance data for tuning itself. Therefore, it does not matter if you measure 100 different parameters or only 1. The impact of running the Performance Monitor will also remain constant for most types of monitoring, so you need not worry about it as long as you’re using the same tool to measure performance each time.[1]
When you're monitoring performance, it is always a good idea to make only one change at a time. This way, you’ll be able to measure the affects of modifying a single parameter. Also, if performance decreases or other problems come up, you’ll know what to change in order to return to the original configuration. Documenting performance values is just as important as making changes.
Windows NT includes several tools that can aid in the evaluation of performance. This paper covers three of them:
· Performance Monitor
· Task Manager
· Network Monitor
The Windows NT Performance Monitor
The Windows NT Performance Monitor is installed by default with all Windows NT installations. You open the Performance Monitor by clicking Start | Programs | Administrative Tools | Performance Monitor. When you start the program, you’ll be presented with the default blank Chart view, which is one of the four views Performance Monitor offers.
We’ll discuss these four modes and their typical uses later on in this paper. For now, you can switch between them by clicking on the View menu and then choosing one view at a time. The settings for each view are independent of the values examined in other views, so you can specify different counters for each at any time.
The Performance Monitor includes many counters and objects with which you can monitor certain aspects of system performance. Counters are general aspects of the system that can be monitored (e.g., memory, processor) Objects are the actual details you wish to track for the selected object (e.g., bytes committed, processor utilization). To add a counter to the default view, click on the Add button and view the various options. In the Add dialog box, you can click on the Explain button to see more information about each of the available options (see Figure 9.1). Table 9.1 lists some of the most useful measurements. Some counters include instances if multiple items are available. For example, on a dual-processor server, you can choose to monitor data for one or both processors. Note that the guidelines in the Usefulness column should be taken as generalizations for sustained levels. For example, it is common for pages/sec to go above the recommended value for short periods of time.
Figure 9.1: Adding a counter and an
object to the Performance Monitor.
Table 9.1: Common Windows
NT Performance Counters
|
Counter |
Object |
Meaning |
Usefulness |
|
Memory |
Pages/sec |
The # of times/second that the memory subsystem had to get information from the hard disk |
If sustained greater than 5 you may want to consider a RAM upgrade |
|
Logical Disk |
% Free Space |
Percentage of free space per volume or per all volumes |
A value of less than |
|
Physical Disk |
Avg. Disk Queue Length |
The number of tasks that had to wait for disk-based data |
If high, disk performance may not be sufficient |
|
Server |
Bytes Total/sec |
The amount of data transferred by this server |
High values indicate many and/or large file transfers to and from the server |
|
Server |
Server Sessions |
Number of active processes on this server |
Indicates current activity; Use to compare loads on different machines |
|
Network Segment |
% Network Utilization |
What percentage of the total network bandwidth is in use |
If sustained greater than 40%, this may be decreasing performance |
|
Redirector |
Reads/Writes denied/sec |
Rejected requests for data transfer |
Large file transfers may be occurring to/from this server |
The objects and
counters that are available are based on the services and applications
installed on the local machine. For example, if you have the Remote Access
Service (RAS) installed, you will see the RAS Port and RAS Total counters.
These counters help you determine the current situation of your remote access
users.[2]
Microsoft ships Windows NT with basic performance counters enabled. For most systems administrators, these defaults are all that is needed. If you require more specific information, however, you can also enable other counters and objects. For example, to measure disk performance, you need to specifically turn on disk performance logging. To do this, you must go to a command prompt and type diskperf -ye (the y flag activates disk performance monitoring, and the e flag specifies performance monitoring for stripe set volumes). This change will take effect the next time you reboot the system. Why isn’t this option enabled by default? Well, keeping track of disk performance information creates a slight decrease in performance (Microsoft estimates less than 5% in most cases). Whether or not this slowdown is worth the additional information depends on your environment and the use of the server. In order to monitor various network performance values, you’ll also need to add the SNMP service and the Network Monitor Agent in the Network Control Panel applet.[3]
Figure 9.2 shows a performance monitor chart while performing a large file copy over the network. This example includes the counters and objects in Table 9.2. Note that certain instances are system specific. For example, the instance for % Network Utilization is a 3Com Etherlink III Network Interface Card. Though the type of information captured will be the same, the specific name of instances will be based on the network adapter or adapters present in your system. Similarly, if you are monitoring a multiprocessor system, instances will be available for viewing statistics on one or all of the processors.[4]
Figure 9.2: Performance Monitor
values during a large file copy over the network.
Table 9.2.Performance Monitor values
measured during a large file copy.
|
Object |
Counter |
Instance |
|
Processor |
% Processor Time |
0 |
|
LogicalDisk |
Free Megabytes |
Total |
|
Memory |
Pages/sec |
N/A |
|
Server Bytes Total/sec |
N/A |
|
|
Network Segment |
% Network Utilization |
El3c5741 |
The Chart view is only one way of viewing the information you are interested in monitoring. Performance Monitor offers four different views from which you can choose depending on the type of data you wish to collect and how you wish to analyze and display this information:
· Chart - Graphs real-time system parameters over time.
· Alert - Provides notification when certain criteria are met or exceeded.
· Log - Records performance information for detecting trends over time.
· Report - Displays real-time data in column format.
The Chart View
The Chart view shows performance information in a graphical format. Figure 9.3 shows a typical chart generated by Windows NT's Performance Monitor. The x-axis of the graph (horizontal) represents time. The y-axis (vertical) represents the measured performance values. To add information to a chart, click on Edit | Add to Chart. You can then choose an object, a counter, and an instance to monitor. Additionally, you can select color, scale, width, and style for the chart item. The scale is a multiplier that can alter the range of values displayed on the y-axis of the graph. For most scenarios, the default values will be appropriate but you can the multiplier based on what you are monitoring. For example, the default for the number interrupts/sec counter (part of the processor object) uses a multiplier of 0.01, giving the y-axis a range of 0-10,000. If you rarely have a high number of interrupts/second, you can change the multiplier to 0.1 to more accurately view the information collected. Finally, you can configure more options by clicking on Options | Chart. From here, you can modify display settings and set the update interval (which is set to 1.000 seconds by default). Note that decreasing the interval will increase the load on your system and can decrease overall performance.
Figure 9.3: An example of Chart view
in the Performance Monitor.
The Alert View
The Performance Monitor can be set up in Alert view to warn a user or systems administrator whenever a specific threshold is exceeded. This may be in the form of a maximum or minimum value for a counter or may be based on a percentage. In the case shown in Figure 9.4, Performance Monitor is configured to warn the systems administrator when disk space falls below 10% free (a very common occurrence on my laptop!). Here's how you do this:
1. Click on View | Alert option.
2. Click on Add to set up a new alert.
3. Choose the % Free Space counter of the LogicalDisk object and specify the total instance.
4. To set a threshold value, select Under and 10 as values in the Alert If section. (If you have more than 10% disk space available on your system, choose a higher percentage, such as 75%).
5. Because we haven’t created a specific batch file in this example, we’ll leave the Run Program on Alert section blank. We could have created a batch file that clears out typical temporary files, however. Click on Done to add this alert.
Figure 9.4.: Performance Monitor is configured to warn the administrator
whenever disk space is low.
With these settings in place, if the combined free space on all your drives is less than 10% of your total disk space, you’ll see alerts start to appear in the Performance Monitor window (see Figure 9.4). By default, an Alert generates an entry in the Performance Monitor Alert view only. You can configure other Alert methods by clicking on Options | Alert. In this dialog box, you can choose to send a network message (making a dialog box appear on the users screen) and/or add Alert information to the Windows NT Event Log (to view events using the Event Viewer).
The Log View
You can choose to save performance-logging information to a disk file for later analysis or for keeping historical records. You can then use Performance monitor or a third-party reporting program to report on this information. You use the following steps to save logging information with Performance Monitor:
1. Open Performance Monitor and select View | Log.
2. Click on the Add button and choose the following items: Processor, Physical Disk, and Server. Click Done to accept these choices.
3. Now, to activate the logging, we need to click on Options | Log to specify a file to which to save information. For the filename, choose any valid name (for example, PerfMon.log). Verify that the update interval is set to a reasonable time. Finally, click on the Start Log button.
4. The screen shows that logging has been started and shows the current size of the log file (in bytes). While data is being collected, you can choose to add a comment into the log by clicking the Place a Commented Bookmark into the Output Log button. This may be useful if you’re performing specific operations on your system.
5. To stop the recording, click Options | Log | Stop Log.
Now that you’ve saved the information you’re interested in, you can use the Report and Chart views to see the results. From either view, choose Options | Data From and specify the log file from which you want to obtain data. Then, just add counters and objects as you would if this were "live" information. Alternatively, you can prepare the data you are viewing to be examined outside the Performance Monitor by clicking on the File | Export option and choosing either TSV (tab-separated values) or the CSV (comma-separated values) as the file type. These text file formats allow the data to be easily imported into reporting programs, such as Microsoft Excel.[5]
The Report View
So far, we’ve seen that Performance Monitor's Chart view displays data in a visual format that is great for viewing trends over time. If you only want to see data values at specific intervals, the Report View is for you. Here's how you use it:
1. Click on View | Report.
2. Modify the sampling rate by clicking on the Options | Report command.
3. Click on Add and add counters as you did in the Chart view.
Figure 9.5 provides an example of the information provided by the Report view.
Figure 9.5: Performance Monitor's Report view can be used to see exact
values of the most recent measurements.
The Windows NT Task Manager
If you want a quick snapshot of your system’s current performance, you can use the Windows NT Task Manager. You access the Task Manager by pressing Ctrl+Shift+Esc. Alternatively, you can right-click on the taskbar and choose Task Manager or press Ctrl+Alt+Delete and click on Task Manager[6]. There are three tabs on the Task Manager interface:
· Applications - Displays programs running on your system.
· Processes - Displays current tasks executing on your system.
· Performance - Displays a snapshot of vital CPU and memory statistics.
Task Manager Settings
The Windows NT Task Manager can be configured to your own preferences. Some useful settings are in the Options menu:
· Hide When Minimized - When checked, this option makes the Task Manager a tray icon when you minimize it.
· Always on Top - When checked, the Task Manager overlaps any other Windows that are open. This is useful when you want to measure performance while doing certain tasks in the background.
I often prefer to disable Always on Top and enable Hide When Minimized. Experiment with this utility - it will easily become your best friend when you’re trying to figure out just what NT is up to!
On the View menu, you can choose to change the update frequency of the Task Manager. Of course, the more frequently you update the display, the greater the performance load you will be exerting on your system (notice that the taskmgr.exe task uses CPU Time, as well). Now that we’ve looked at some of the settings that can be made for the Task Manager, let’s look at the different tabs available within the application.
The Applications Tab
The Applications tab shows which programs are currently running on the system. These programs are referred to as applications or tasks. This list will only include programs that run as tasks and excludes items such as Services and other background tasks. Figure 9.6 shows several tasks running on the machine. Each name is a specific instance of a program. From this screen, you can choose to end a specific task (shut down the program) or Switch to the highlighted task. You can also click on the New Task button, which simply allows you to run an executable program.
A menu on this tab allows you to tile all applications horizontally or vertically. This is a useful way of seeing what all of your applications are up to at any given time. If the Status column shows [Not Responding], it’s likely that the program is either waiting for you to input some information or that it has crashed.
Figure 9.6: The Applications tab in the Task Manager.
The Processes Tab
The Processes tab, shown in Figure 9.7, displays the active processes running on your system as of right now. Are you surprised to see so many there? Even on a Windows NT System that is not running any programs that you can see, there are many background operations that keep the operating system cranking. This includes threads that execute as part of an application, system services and other background tasks. One item you’ll recognize is the taskmgr.exe itself. In Figure 9.7 you'll see the following column headings:
Figure 9.7: The Processes tab in the
Task Manager.
· Image Name - This is the name of the task that is running. In some cases, the task will have a friendly name (such as System, or System Idle Process). Others have *.exe filenames that tell you what application is running.
· PID - This is the process ID. Windows NT assigns a unique process ID to all tasks that run on the system. Note that these numbers may change when you run the same program several times.
· CPU - This is the percentage of the current CPU time allocated to the specific process. If the operating system is not running a specific task, it will be running the System Idle Process.
· CPU Time - Here you’ll find the amount of CPU time that has been used by this process. Windows NT automatically gives each process a certain amount of time to run it’s operations and then checks the next program in line. The format is in HH:MM:SS (Hours:Minutes:Seconds). This is a great way to find out which applications are slowing down your system the most.
· Mem Usage - This column shows how much memory is currently in use by the process. It is important to note that all this memory may not be RAM alone - some of it may be paged to disk as virtual memory. When the application needs it, these pages of memory can be loaded into RAM for quicker execution.
You can click on a column heading to sort by that value. For example, to sort programs by their usage of memory, click on the Mem Usage column heading. If you’d like to reverse the sort order, click on that heading again. You can also choose many additional parameters to view in this display by clicking on View | Select Columns. The Select Columns dialog box will appear; in it you can add and remove option statistics from the display. Figure 9.8 shows the available options.
Figure 9.8: Selecting columns to view
in the Processes tab of the Task Manager.
The following example shows how to check how much memory is used by the system when running Internet Explorer 4.0 (you may be surprised by the results):
1. Make sure all programs are closed except for the Task Manager.
2. Go to the Processes tab and click on the Mem Usage column to sort by this value. Make a mental note of the amount of total memory committed.
3. Launch the Internet Explorer application and wait until it is open.
4. Switch to the Performance tab and notice how much more memory is used when the Internet Explorer program is active. Also, click on the Processes tab and then click on the Mem Usage column to sort by this value to show exactly how much memory is currently in use.
You may not have realized it, but in performing this task, you have carried out the first two steps of performance monitoring: establishing a baseline (the amount of free memory before opening Internet Explorer) and making a single system change (opening Internet Explorer).
The Performance Tab
The performance tab of the Task Manager provides a readily available view of the current status of your system. It displays a quick snapshot of your CPU usage and memory statistics. Important information in the Performance tab includes the following values:
Figure 9.9: The Performance tab of
the Task Manager interface.
· Totals - The number of individual tasks running on the system.
· Physical Memory - The amount of RAM present in the system and its allocation.
· Commit Charge - The portion of memory currently being used by the system.
· Kernel Memory - The amount of memory being used by the operating system.
Each of these counters can provide valuable information when you're determining the exact load on your system. If things are running slowly, be sure to check them out.
The Windows NT Network Monitor
Windows NT Server includes a tool called the Network Monitor. This useful application serves as a basic packet-level analyzer (sometimes referred to as a sniffer). Networking professionals often use dedicated devices to find information contained in packets travelling over the network. The Network Monitor works in a similar way - it captures and examines all packets that are transferred over the network segment and saves them to a buffer. To install the Network Monitor, simply add the Network Monitoring Tools and Agent option in the Services tab. You then need to reboot the computer.[7]
Note: The version of the
Network Monitor that is included with Windows NT Server 4.0 is limited in that
it can only monitor packets transmitted to and from the local machine. A full
version of Network Monitor is included with Microsoft’s Systems Management
Server (SMS), which is also part of the BackOffice collection.
Network Monitor information can be especially useful for troubleshooting specific LAN connectivity problems. For example, suppose network clients have trouble receiving Dynamic Host Configuration Protocol (DHCP) information. The Network Monitor can be used to determine whether or not the client is sending out the appropriate broadcast request and whether or not the server is sending out a valid response. Figure 9.10 shows the main interface of the Network Monitor.
Figure 9.10: A typical Network
Monitor capture.
It is important to note that collecting this type of data can affect the server’s performance. One way to limit this is by restricting the buffer size that is used. To do this, click on Capture | Buffer Settings and specify the size of the buffer in megabytes. For most applications, a 2MB - 3MB buffer will be sufficient. If the server is unable to keep up with the flow of data packets, packets may be dropped. To increase performance, the "dedicated capture" mode can be used. With this setting, display statistics are not updated while packets are being detected, thereby reducing the load on the machine.
By using the filters available in the program, the potentially huge collection of data can be made manageable.
Network Monitor Example: Isolating ping Problems
Suppose a network administrator suspects that a user is running an application that is generating excessive ping traffic. However, he is unsure from where this data is originating.
The ping utility transmits and receives all data using ICMP (Internet Control Messaging Protocol) packets. The administrator begins a network capture and waits until the buffer (configured to be 2.0MB) is entirely full. He then enables a filter that restricts the captured frames to only ICMP data (the ping command sends ICMP packets only). The exact process is as follows:
1. Click on Capture | Buffer Settings and set the buffer size to 2.0MB.
2. Click on Capture | Start.
3. Wait until the buffer is full and then click on Capture | Stop and View.
4. Click on the Edit Display Filter button. Highlight the item that shows Protocol == Any and click on Expression in the edit frame.
5. In the Protocols tab, click on Disable All. Then, highlight ICMP and click on the Enable button. Click OK to accept these settings.
6. Click OK again to accept the new filter settings. The list of information should be restricted to only ICMP requests.
Figure 9.11 shows a filtered capture showing only ICMP data. By examining these packets, the administrator knows that the ping commands are originating from IP address 10.1.1.1.
Figure 9.11: In this display, the
captured data output is restricted to ICMP filters.
With Network Monitor, you can also save the information that you captured in a file on your hard drive. This information can then be recalled later for analysis, if required.
The Windows 95/98 System Monitor
You don’t have to be running Windows NT to do performance monitoring. Windows 95 and Windows 98 were designed to be consumer/end user operating systems, but they can still provide valuable performance information. Although the tools are somewhat different (and much more limited), the Windows 95/98 System Monitor can be used to find basic information on the status of your system. To run the System Monitor, click on Start | Programs | Accessories | System Tools | System Monitor. If the program is not installed, you can add it using the Add/Remove Control Panel item. The interface for these tools is as user-friendly as their Windows NT counterparts and there’s a help file to assist in determining the usefulness of information. Table 9.3 lists some useful items to monitor.
Table 9.3. Useful Windows 95/98 System
Monitor items
|
Counter |
Item |
Purpose |
|
Kernel |
Processor Usage |
Indicates CPU workload |
|
Memory Manager |
Allocated Memory |
Indicates memory in use |
|
Memory Manager |
Swap-File Size |
Indicates data paged to disk |
|
Dial-Up Adapter |
Bytes Received/Sec |
Indicates modem speed |
|
Dial-Up Adapter |
CRC Errors |
Detects corrupted data packets, possibly indicative of phone line noise |
|
File System |
Bytes Read/Sec, Bytes Written/Sec |
Indicates the number of bytes read/written per second |
Figure 9.12 shows the Windows 98 System Monitor displaying basic statistics. This information can come in useful, for example, in finding out if your system is overloaded or if a dial-up adapter is performing poorly due to line noise or a low connection speed. [8]
Figure 9.12: The Windows 98 System
Monitor.
The Bottom Line
Monitoring the performance of a system is a great way to see how the assets you have are performing. It’s not uncommon for something as simple as an inexpensive RAM upgrade to greatly increase the life cycle of a potentially expensive and time-consuming server replacement. When handled properly, performance information is crucial to your daily network operations. Lowering total cost of ownership by better tracking the performance of items you routinely rely on will help in planning for the future and maximizing the usage of your current systems.
For More Information
The author of this paper welcomes your comments and questions at akdesai@austin.rr.com, or via his web site: home.austin.rr.com/akdesai. In addition to the numerous resources mentioned within the text of this paper, see the following for more Performance Monitoring information:
· Desai, Anil. "Windows NT Administration: Reducing TCO Through Best Practices" (MacMillan Technical Publishing, 1999).
· "Network Traffic Analysis and Optimization (Windows NT 3.5x and 4.0 and Windows 95)," Microsoft TechNet
· "Optimizing Windows NT for Performance," Q146005, Microsoft Knowledge Base
· "Performance Analysis and Optimization of MS Windows NT Server," Microsoft TechNet
· "INF: Optimizing Microsoft SQL Server Performance," Q110352, Microsoft Knowledge Base
· Chapter 8, "Monitoring Performance," Concepts and Planning Manual, Windows NT Server Manuals