Monitoring Your System to Identify Bottlenecks


Sometimes you get the feeling that your computer is not performing at full capacity. The indication might anything from a momentary lag between typing and having characters appear on the screen, to applications taking far too long to open when you start them. Sometimes these slowdowns can be caused by momentary network outages, the automatic installation of Windows Updates downloads, or the Windows Indexing Service deciding that the middle of your workday is a good time to scan through every document on your disk. Sometimes they fix themselves and don't occur again. But sometimes they don't, and you need to know how to find the source of the problem.

Using the Task Manager

The first place I go when my computer is acting sluggish is the Task Manager. Type Ctrl+Alt+Del to open it, view the Processes tab, and click the title of the CPU column twice to show the processes using the greatest percentages of available CPU cycles.

Note

If you are logged on via Remote Desktop, you might only be able to see processes running under your own username. To view all active processes, you must run the Task Manager as a Computer Administrator and check Show Processes From All Users. If you don't want to log off and back on as an Administrator to do this, open a command prompt window and type runas / user :Administrator taskmgr .


If a single task is consuming a large percentage of the CPU, it's either very busy, or it's stuck in an infinite loop doing nothing. It's difficult to tell which, sometimes. One helpful indicator is the amount of disk activity the program is doing. Click View, select Columns and check PID, I/O Read Bytes, and I/O Write Bytes, and click OK. The result is shown in Figure 6.22.

Figure 6.22. Task Manager display showing %CPU usage and total disk activity.

Watch the I/O Read Bytes and I/O Write Bytes numbers . If they are increasing, the program is actively reading and writing data. A program that is consuming nearly 100% of the CPU with no I/O activity is probably hung up; a program that is using a large CPU percentage and is also performing I/O is just working hard.

If you suspect that a program is hung up, you can try to terminate it from the Task Manager. Select the program in the list and click End Process. In most cases, this will have no effect, so the next step is to open a command prompt window. If you are using Windows XP Professional, type the command taskkill /pid nnn with the number from the process's PID column in place of nnn . If you are using XP Home Edition, try the command tskill , although it may not work. Hopefully you had previously downloaded installed the Resource Kit Tools described in Appendix A, and can type kill /f nnn which is more likely to work.

Reading the Event Log

The Windows Event log is a sort of collective blog written by Windows, its services, and applications as they go about their business, and it records errors, warnings, and observations that aren't necessarily displayed on the desktop or in message boxes. To read these messages, open the Event Viewer by right-clicking My Computer, selecting Manage, and then selecting Event Viewer in the left pane. Alternatively, type eventvwr.msc at the command prompt.

The Event Viewer displays at least three different log sections:

  • Application log Contains events logged by applications or programs running on the computer. For example, a program might record a file error in the application log. Each program's developer decides which, if any, events to record.

  • Security log Records security events such as valid and invalid logon attempts as well as audit events related to resource use such as creating, opening, or deleting files. The administrator can specify which events will be recorded in the Security log by enabling specific logging actions.

  • System log Contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by Windows and can't be changed by users or administrators.

The EventLog service starts automatically early in the bootup process. All users of a computer can view the Application and System logs, but only Administrators can view the Security log. Special services may also create other logs. My computer, for example, gained a log named ACEEventLog when I installed a new ATI display adapter driver recently; it appears to contain debugging information written by the driver. Windows Server installations may have several additional logs relating to server functions such as DHCP, File Replication, and Active Directory.

Log entries are categorized into one of five Event Types, which are listed in Table 6.5.

Table 6.5. Windows Event Types

Event Type

Description

Error

Indicates a serious problem that has occurred, such as a loss of data or degradation in usability or reliability. A service that fails to load or a domain controller that is unavailable for contact will cause an Error event. More often than not, you will receive an onscreen warning concerning the Error event.

Warning

Indicates that a less serious event has occurred that should not normally have an immediate adverse effect on the computer. Low disk space or failure to contact a time server to update the clock might cause a Warning event.

Information

Indicates the successful completion of a task or the successful operation of an application, device, or service. Many occurrences will create an Information event, such as the starting of a network service or the loading and configuring of a driver.

Success Audit

Indicates that an action that was configured for success auditing was attempted and was successful. Auditing can monitor access to files or folders, logging on to the network, use of privileges, and so on.

Failure Audit

Indicates that an action that was configured for failure auditing was attempted and was unsuccessful . Failure audit events can be used to identify users who are attempting to gain access to files or privileges for which they are not authorized.


You can easily scan through the logs for events that might shed light on a problem you're investigating, or events that may predict an upcoming problem; double-click an entry to view detailed information.

Some of other possible activities include the following:

  • To save a log file for archival purposes, select Save Log File As. You will need to select from three file types: .EVT , .TXT , or .CSV . If you plan on opening the log later in the Event Viewer, you should save it in .EVT format. If you save a log in .TXT (plain text) or .CSV (comma-delimited) format, you can import the data into a spreadsheet or database for further processing.

  • To open a saved log file, select Open Log File. This comes in handy if you've saved and cleared out Event logs.

  • Clicking New Log View simply creates a copy of the selected log, allowing you to create a custom view of it without changing the view of the original.

  • After you've archived a log, you can Clear All Events in the log to start with a clean slate again.

  • Export List is a nice feature that allows you export a log file to a text file for easy transport and viewing in any text editor.

You can configure maximum log size and specify event retention polices by right-clicking a log name in the left pane and selecting Properties. Figure 6.23 shows the General tab, from which you can configure most of the basic options for a log.

Figure 6.23. You can configure log sizes and event retention limits.


Caution

A common hacker trick is to do something improper, and then flood the log with innocuous entries to flush out any record of their misdeeds. On important servers, then, it's a common security practice to disable automatic overwriting of the security log. However, if you disable the overwriting of old events and your log grows to the maximum configured size, the logging of new events will not occur. Always pay careful attention to your logs when you have selected to manually clear log entries.


Security Logging and Auditing

By default, security logging is turned off and must be enabled through Local Security Policy, or on a domain network, Group Policy. Security logging can record attempts to log on with incorrect passwords.

The Administrator can also set auditing policies to enable logging of auditing events, which can help you determine whether an application or service is failing because it cannot gain access to needed files, or which can help you watch for attempts by people to access things they shouldn't. Files and folders to be so monitored must be stored on NTFS-formatted disks, and must be marked separately for auditing using their Advanced security properties dialogs. In addition, Simple File Sharing must be turned off. Auditing is not available on Windows XP Home Edition.

To enable Security logging, log on as a Computer Administrator, open the Administrative Tools menu from the Start menu or Control Panel, and select Local Security Policy. Alternatively, at the command prompt, type the command gpedit.msc . View Local Policies, Audit Policy, as shown in Figure 6.24.

Figure 6.24. Enable Security and Audit logging from the Local Security Policy editor.

To have the Security log record failed logon attempts, set Audit Logon Events to Failure. To record all logons , set Audit Logon Events to Success, Failure.

To permit the recording of file and folder Audit activity, set Audit Object Access to Failure, or Success, Failure. Then, modify the Security permissions of the files and/or folders you want to monitor. To do this, follow these steps:

1.
Use Windows Explorer to locate and right-click the file or folder you want to audit. Select Properties.

2.
Select the Security tab. (If it does not appear, either the file is on a FAT-formatted disk or Simple File Sharing has not been disabled.)

3.
Click the Advanced button and select the Auditing tab. (If Auditing does not appear, you are not logged on as a Computer Administrator.) Click Add.

4.
You may select specific users and groups to be monitored. Enter a username, group name, or Everyone to monitor all access.

5.
Select the type of activity you want to monitor (see Figure 6.25), and click the check box in the Successful and/or Failed column. Only the selected activities and results will be considered for logging in the Event log, and then, only the result types for Object Access set earlier in the policy editor will actually be recorded.

Figure 6.25. Select access types and results for auditing.


6.
Save the changes by clicking OK.

When you have enabled auditing for debugging purposes, it's best to disable it immediately after solving the problem to avoid having the security log grow unnecessarily large.

Using the Performance Monitor

The System Monitor and Performance Logs and Alerts management tools are available in the Computer Management console. These tools let you plot and monitor all sorts of internal measurements inside Windows, view recorded performance data, and configure management alerts to be sent when system measurements stray from preset bounds.

If you type perfmon.msc at the command line, or choose Start, All Programs, Administrative Tools, Performance, you'll get a console with Performance Logs and Alerts, plus the more useful System Monitor tool, which plots system activity in real-time, as shown in Figure 6.26. (For some strange reason, System Monitor is not available as a selection when building custom consoles in MMC.)

Figure 6.26. The Performance console is the powerhouse of performance monitoring.

Note

If Administrative Tools doesn't appear under All Programs in your Start menu, right-click the Start button, select Properties, click Customize and select the Advanced tab. Locate System Administrative Tools under Start Menu Items, and select Display On The All Programs Menu. Click OK twice to close the dialogs and Administrative Tools will now be available.


Monitoring performance begins with the collection of data. The Performance console provides you with various methods of working with data, although all methods use the same means of collecting data. Data collected by the Performance Monitor is broken down into objects, counters, and instances.

  • An object is the software or device being monitored, such as memory or processor.

  • A counter is a specific statistic for an object. For instance, Memory has a counter called Available Bytes , and a processor has a counter called % Processor Time .

  • An instance is the specific occurrence of an object you are watching; in a multiprocessor server with two processors, or a single CPU system with dual cores or hyperthreading, you will have three instances: , 1 , and Total .

The primary difference between using the System Monitor and Counter Logs/Trace Logs is that you typically watch performance in real-time in System Monitor (or play back saved logs), where you use Counter Logs and Trace Logs to record data for later analysis. Alerts function in real-time by providing you with (you guessed it) an alert when a user-defined threshold is exceeded. Collecting data and displaying it will be discussed at length in the following section, "Using System Monitor." Counter Logs, Trace Logs, and Alerts will be discussed in great detail in the "Using Performance Logs and Alerts" section later in this chapter.

Using System Monitor

The System Monitor (shown previously in Figure 6.26) enables you to view statistical data either live or from a saved log. You can view the data in three formats: graph, histogram, or report. Graph data is displayed as a line graph; histograms are incorrectly named and are actually just bar graphs; and reports are text-based displays that show the current numerical information available from the statistics.

To add counters to the Performance Monitor, click the "+" icon, which is the eighth icon from the left in the System Monitor; this opens the Add Counters dialog box shown in Figure 6.27. At the top of the dialog box is a set of radio buttons with which you can obtain statistics from the local machine or a remote machine. This is useful when you want to monitor a computer in a location that is not within a reasonable physical distance from you. Under the radio buttons is a pull-down list naming the performance objects that can be monitored. Which performance objects are available depends on the features (and applications) you have installed on your server. Also, some counters come with specific applications. These performance counters enable you to monitor statistics relating to that application from the Performance Monitor.

Figure 6.27. Use the Add Counters dialog box to add counters to the System Monitor.


Under the performance object is a list of counters. When applied to a specific instance of an object, counters are what you are really after, and the object just narrows down your search. The counters are the actual statistical information you want to monitor. Each object has its own set of counters from which you can choose. Counters enable you to move from the abstract concept of an object to the concrete events that reflect that object's activity. For example, if you choose to monitor the processor, you can watch for the average processor time and how much time the processor spent performing non-idle activity. In addition, you can watch for %user time (time spent executing user application processes) versus %privileged time (time spent executing system processes).

To the right of the counter list is the instances list. In most cases where instances are listed, selecting Total will give you the most useful results.

You can make several modifications to the System Monitor to improve how it functions in your environment. To access the properties page for the System Monitor, right-click the graph and select Properties from the menu that appears.

Using Performance Logs and Alerts

Using the Performance Logs and Alerts section of the Performance Monitor, you can log counter and event trace data. Additionally, you can create alerts triggered by performance that can notify the administrator of critical changes in monitored counters, to give advance warning of impending problems. The following three items are located in the Performance Logs and Alerts section of the Performance Monitor:

  • Counter Logs enable you to record data about hardware usage and the activity of system services from local or remote computers. You can configure logging to occur manually or automatically based on a predefined schedule. If you desire , continuous logging is available, but it consumes large amounts of disk space quickly. You can view the logs in System Monitor or export the data to a spreadsheet or database program, such as Microsoft Excel and Microsoft Access, respectively.

  • Trace Logs are used to record data as certain activity, such as disk I/O or a page fault, occurs. When the event occurs, the provider sends the data to the log service.

  • Alerts can be set on a specific counter defining an action to be performed when the selected counter's value exceeds, equals, or falls below the specified setting. Actions that can be set include sending a message, running a program, and starting a log.




Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net