Sometimes you get the feeling that your computer is not performing at full capacity. The indication might anything from a momentary lag between typing and having characters appear on the screen, to applications taking far too long to open when you start them. Sometimes these slowdowns can be caused by momentary network outages, the automatic installation of Windows Updates downloads, or the Windows Indexing Service deciding that the middle of your workday is a good time to scan through every document on your disk. Sometimes they fix themselves and don't occur again. But sometimes they don't, and you need to know how to find the source of the problem. Using the Task ManagerThe first place I go when my computer is acting sluggish is the Task Manager. Type Ctrl+Alt+Del to open it, view the Processes tab, and click the title of the CPU column twice to show the processes using the greatest percentages of available CPU cycles. Note If you are logged on via Remote Desktop, you might only be able to see processes running under your own username. To view all active processes, you must run the Task Manager as a Computer Administrator and check Show Processes From All Users. If you don't want to log off and back on as an Administrator to do this, open a command prompt window and type runas / user :Administrator taskmgr . If a single task is consuming a large percentage of the CPU, it's either very busy, or it's stuck in an infinite loop doing nothing. It's difficult to tell which, sometimes. One helpful indicator is the amount of disk activity the program is doing. Click View, select Columns and check PID, I/O Read Bytes, and I/O Write Bytes, and click OK. The result is shown in Figure 6.22. Figure 6.22. Task Manager display showing %CPU usage and total disk activity.Watch the I/O Read Bytes and I/O Write Bytes numbers . If they are increasing, the program is actively reading and writing data. A program that is consuming nearly 100% of the CPU with no I/O activity is probably hung up; a program that is using a large CPU percentage and is also performing I/O is just working hard. If you suspect that a program is hung up, you can try to terminate it from the Task Manager. Select the program in the list and click End Process. In most cases, this will have no effect, so the next step is to open a command prompt window. If you are using Windows XP Professional, type the command taskkill /pid nnn with the number from the process's PID column in place of nnn . If you are using XP Home Edition, try the command tskill , although it may not work. Hopefully you had previously downloaded installed the Resource Kit Tools described in Appendix A, and can type kill /f nnn which is more likely to work. Reading the Event LogThe Windows Event log is a sort of collective blog written by Windows, its services, and applications as they go about their business, and it records errors, warnings, and observations that aren't necessarily displayed on the desktop or in message boxes. To read these messages, open the Event Viewer by right-clicking My Computer, selecting Manage, and then selecting Event Viewer in the left pane. Alternatively, type eventvwr.msc at the command prompt. The Event Viewer displays at least three different log sections:
The EventLog service starts automatically early in the bootup process. All users of a computer can view the Application and System logs, but only Administrators can view the Security log. Special services may also create other logs. My computer, for example, gained a log named ACEEventLog when I installed a new ATI display adapter driver recently; it appears to contain debugging information written by the driver. Windows Server installations may have several additional logs relating to server functions such as DHCP, File Replication, and Active Directory. Log entries are categorized into one of five Event Types, which are listed in Table 6.5. Table 6.5. Windows Event Types
You can easily scan through the logs for events that might shed light on a problem you're investigating, or events that may predict an upcoming problem; double-click an entry to view detailed information. Some of other possible activities include the following:
You can configure maximum log size and specify event retention polices by right-clicking a log name in the left pane and selecting Properties. Figure 6.23 shows the General tab, from which you can configure most of the basic options for a log. Figure 6.23. You can configure log sizes and event retention limits.
Caution A common hacker trick is to do something improper, and then flood the log with innocuous entries to flush out any record of their misdeeds. On important servers, then, it's a common security practice to disable automatic overwriting of the security log. However, if you disable the overwriting of old events and your log grows to the maximum configured size, the logging of new events will not occur. Always pay careful attention to your logs when you have selected to manually clear log entries. Security Logging and AuditingBy default, security logging is turned off and must be enabled through Local Security Policy, or on a domain network, Group Policy. Security logging can record attempts to log on with incorrect passwords. The Administrator can also set auditing policies to enable logging of auditing events, which can help you determine whether an application or service is failing because it cannot gain access to needed files, or which can help you watch for attempts by people to access things they shouldn't. Files and folders to be so monitored must be stored on NTFS-formatted disks, and must be marked separately for auditing using their Advanced security properties dialogs. In addition, Simple File Sharing must be turned off. Auditing is not available on Windows XP Home Edition. To enable Security logging, log on as a Computer Administrator, open the Administrative Tools menu from the Start menu or Control Panel, and select Local Security Policy. Alternatively, at the command prompt, type the command gpedit.msc . View Local Policies, Audit Policy, as shown in Figure 6.24. Figure 6.24. Enable Security and Audit logging from the Local Security Policy editor.To have the Security log record failed logon attempts, set Audit Logon Events to Failure. To record all logons , set Audit Logon Events to Success, Failure. To permit the recording of file and folder Audit activity, set Audit Object Access to Failure, or Success, Failure. Then, modify the Security permissions of the files and/or folders you want to monitor. To do this, follow these steps:
When you have enabled auditing for debugging purposes, it's best to disable it immediately after solving the problem to avoid having the security log grow unnecessarily large. Using the Performance MonitorThe System Monitor and Performance Logs and Alerts management tools are available in the Computer Management console. These tools let you plot and monitor all sorts of internal measurements inside Windows, view recorded performance data, and configure management alerts to be sent when system measurements stray from preset bounds. If you type perfmon.msc at the command line, or choose Start, All Programs, Administrative Tools, Performance, you'll get a console with Performance Logs and Alerts, plus the more useful System Monitor tool, which plots system activity in real-time, as shown in Figure 6.26. (For some strange reason, System Monitor is not available as a selection when building custom consoles in MMC.) Figure 6.26. The Performance console is the powerhouse of performance monitoring.Note If Administrative Tools doesn't appear under All Programs in your Start menu, right-click the Start button, select Properties, click Customize and select the Advanced tab. Locate System Administrative Tools under Start Menu Items, and select Display On The All Programs Menu. Click OK twice to close the dialogs and Administrative Tools will now be available. Monitoring performance begins with the collection of data. The Performance console provides you with various methods of working with data, although all methods use the same means of collecting data. Data collected by the Performance Monitor is broken down into objects, counters, and instances.
The primary difference between using the System Monitor and Counter Logs/Trace Logs is that you typically watch performance in real-time in System Monitor (or play back saved logs), where you use Counter Logs and Trace Logs to record data for later analysis. Alerts function in real-time by providing you with (you guessed it) an alert when a user-defined threshold is exceeded. Collecting data and displaying it will be discussed at length in the following section, "Using System Monitor." Counter Logs, Trace Logs, and Alerts will be discussed in great detail in the "Using Performance Logs and Alerts" section later in this chapter. Using System MonitorThe System Monitor (shown previously in Figure 6.26) enables you to view statistical data either live or from a saved log. You can view the data in three formats: graph, histogram, or report. Graph data is displayed as a line graph; histograms are incorrectly named and are actually just bar graphs; and reports are text-based displays that show the current numerical information available from the statistics. To add counters to the Performance Monitor, click the "+" icon, which is the eighth icon from the left in the System Monitor; this opens the Add Counters dialog box shown in Figure 6.27. At the top of the dialog box is a set of radio buttons with which you can obtain statistics from the local machine or a remote machine. This is useful when you want to monitor a computer in a location that is not within a reasonable physical distance from you. Under the radio buttons is a pull-down list naming the performance objects that can be monitored. Which performance objects are available depends on the features (and applications) you have installed on your server. Also, some counters come with specific applications. These performance counters enable you to monitor statistics relating to that application from the Performance Monitor. Figure 6.27. Use the Add Counters dialog box to add counters to the System Monitor.
Under the performance object is a list of counters. When applied to a specific instance of an object, counters are what you are really after, and the object just narrows down your search. The counters are the actual statistical information you want to monitor. Each object has its own set of counters from which you can choose. Counters enable you to move from the abstract concept of an object to the concrete events that reflect that object's activity. For example, if you choose to monitor the processor, you can watch for the average processor time and how much time the processor spent performing non-idle activity. In addition, you can watch for %user time (time spent executing user application processes) versus %privileged time (time spent executing system processes). To the right of the counter list is the instances list. In most cases where instances are listed, selecting Total will give you the most useful results. You can make several modifications to the System Monitor to improve how it functions in your environment. To access the properties page for the System Monitor, right-click the graph and select Properties from the menu that appears. Using Performance Logs and AlertsUsing the Performance Logs and Alerts section of the Performance Monitor, you can log counter and event trace data. Additionally, you can create alerts triggered by performance that can notify the administrator of critical changes in monitored counters, to give advance warning of impending problems. The following three items are located in the Performance Logs and Alerts section of the Performance Monitor:
|