Anyone who has ever had to troubleshoot an IIS crash knows just how complex the process can be. Suppose that your IIS Server crashes and generates a Dr. Watson error. You quickly determine that the error is IIS related because it pinpoints INETINFO.EXE as the source of the error.

But figuring out why IIS crashed is often easier said than done. After all, the crash could be linked to faulty hardware, a buggy system file, a Web application that crashed and took down the system, or any number of other things. The IIS Exception Monitor tool can make it easier to pinpoint the cause. In this Daily Drill Down, I’ll explain how to acquire, install, and use this utility.

When to use IIS Exception Monitor
IIS Exception Monitor is a free diagnostic tool provided by Microsoft. In fact, it’s the tool Microsoft’s technical support department uses to diagnose IIS and Windows DNS application errors. The vast majority of IIS crashes are related to Web applications rather than to an actual IIS bug. And you can’t get step-by-step solutions for fixing the error just by looking in the Microsoft Knowledge Base because most errors are specific to an individual application and the environment that the application runs in.

IIS Exception Monitor is designed to give you specific information about why a crash occurred so you can fix the problem that caused the crash. Some of the situations in which it’s most effective to use IIS Exception Monitor include:

  • When the IIS services stop abruptly.
  • When the Web browser returns Server Too Busy error messages.
  • When IIS generates a Dr. Watson error.
  • When the Web browser returns an application-specific error message.
  • When the Web browser displays an ASP 0115 error.

Installing IIS Exception Monitor
You can download the file from Microsoft’s IIS Exception Monitor Web site. Once the file has been downloaded, double-click on the DBG.EXE file. You’ll be prompted to accept the license agreement. After doing so, Windows will extract the files to a temporary folder, and you’ll be prompted to enter the name of the directory where you’d like to install the utility. Enter the directory name and click OK to copy the files.

Running the utility
To run the IIS Exception Monitor utility, you must have a Windows NT 4.0 Server with Windows Scripting Host installed or you must be running Windows 2000. Assuming that your server meets these minimum requirements, you can start IIS Exception Monitor by selecting Exception Monitor from the Start | Programs | Debugging Tools | Exception Monitor menu. From the initial Welcome screen, you can view previously created log files. But since this is the first time you’ve run IIS Exception Monitor, there aren’t any files to view, so click Next to continue.

You can next choose either to monitor a running service or application or to monitor a service that has stopped. For demonstration purposes, select the option to monitor a running service or application and click Next. You’ll then see the screen shown in Figure A. As you can see in the figure, you can select any running IIS-related service. If you’d rather test an application, select the Other Application radio button. For this example, I selected the Microsoft Internet Information Service (In Process) service and clicked Next.

Figure A
You can select any running IIS-related service or any running Web application.

After selecting that option, you’ll see the Session Options screen with two primary options for Exception Monitoring: Automatic or Manual. Use Manual monitoring only in situations in which a Microsoft support specialist is connecting to your server to help you to diagnose a problem. For all other problems, use the Automatic option.

As you can see in Figure B, there are two check boxes beneath the Automatic monitoring option. The Enable Recursive Mode option causes the service you’re monitoring to automatically restart after an exception occurs. This option allows you to continuously monitor a service until you manually disable recursive mode.

Figure B
Unless you’re working with a Microsoft support specialist, you must use the Automatic option.

The Notify Admin option allows IIS Exception Monitor to notify someone when an exception occurs. You can enter a user name or a computer name into the Notify Admin field. If an SMTP profile exists on the server, you can enter an e-mail address instead of a user name or computer name, and then e-mail notifications will be sent to the address. Otherwise, notifications will be sent via Net Send messages.

After clicking Next, you’ll see the Start Monitoring screen. The monitoring session begins the instant that you click the Run This Monitoring Session button; however, clicking the button won’t move you to the next screen. If, after clicking it, you decide that you need to make a change to the monitoring session, you can do so by clicking the Back button.

After a delay of a minute or two, IIS Exception Monitor will open the Windows Debugger window shown in Figure C. The Windows Debugger is the heart and soul of IIS Exception Monitor.

Figure C

IIS Exception Monitor interacts directly with the Windows Debugger and instructs the debugger to attach to the process or application that you selected. IIS Exception Monitor also forces the Windows Debugger to run specific scripts when exceptions occur.

Session Status page
I explained that when you click the Run This Monitoring Session button, the Windows Debugger opens in a separate window and begins the logging process. However, you might have noticed that although the Run This Monitoring Session button becomes grayed out, the Start Monitoring dialog box remains open and the Back and Next buttons remain active.

Figure D
The Session Status screen provides a summary of past and present monitoring sessions and allows you to manually stop the current monitoring session.

If you click the Next button, you’ll be taken to the Session Status screen (Figure D), which gives you a quick summary of all of the automatic and manual monitoring sessions you’ve performed to date. Notice in the figure that Process 2700 is running. This monitoring process will continue to run until an exception occurs (assuming that you haven’t enabled Recursive Monitoring) or until you manually stop the process. You can manually stop the logging process by selecting the process and clicking the Stop/Create Log button.

When you click the Stop/Create Log button, the Windows Debugger will appear to go crazy, spewing countless lines of code across the screen. But after a few minutes, you’ll see a dialog box informing you that the log file has been created in a specific location. Click OK and then Finish to close IIS Exception Monitor.

Analyzing your results
When you started IIS Exception Monitor for the first time, you saw the View Log Files button on the opening screen. Now that you’ve analyzed a process and have actually created a log file, restart IIS Exception Monitor and click the View Log Files button. You’ll see a screen where you can select which log file you want to view. The log file names are based on the process ID, time, and date, so you can use the file name to figure out which log file is which (if you have more than one).

Figure E
You’ll see this warning message if you manually stopped the monitoring process.

If you manually stopped the monitoring process rather than having the process stop because of an exception error, IIS Exception Monitor will display the dialog box shown in Figure E. This dialog box is IIS Exception Monitor’s way of telling you that you didn’t capture any critical errors in the log file, but that you can use the log file to troubleshoot other problems, such as high CPU utilization. Click OK to clear this warning.

Figure F
The log file viewer is designed to help you to more easily digest the information contained within the lengthy log files.

After clearing the warning message, you’ll see the utility for viewing the log files shown in Figure F. You need to use this interface because the log files produced by IIS Exception Monitor are huge. The viewer can automatically sort the information found in the logs into various sections to help you more quickly locate specific information.

In the figure, you’ll notice a series of ten buttons on the left side of the viewer. Each of these ten buttons invokes a separate function to assist you in the troubleshooting process. In the sections below, I’ll explain the functions of each of these buttons.

Errors
Clicking the Errors button displays any errors contained in the log file. Although the errors are recorded into the log file in hexadecimal format, the Errors button displays a plain text description of the error messages whenever possible. The log file viewer accomplishes this by comparing the error number against a database of known errors. If you see only an error number in this log file, there is no record of the error number in the error message database.

DLLs
When you click the DLLs button, you’ll see a list of all of the DLLs the service or application you monitored was using. The list shows the module name and the starting and ending address. However, if you click on an individual DLL module, you can see specific version information for that module. You can see an example of this in Figure G.

Figure G
The log file viewer allows you to see specific information about every DLL module being used by the monitored service or application.

Help
The Help button opens the IIS Exception Monitor’s help file. The help file is fully indexed.

Locks
The Locks button allows you to see file lock information as it existed at the time of the exception—assuming that there was an exception. This area of the log file viewer allows you to see the owning thread, lock count, and critical sections of the file lock.

Report
The Report section provides you with a summary of the log you’re looking at. The report begins with the basic information, such as log file’s date, time, and the application or service that was being monitored. The report also displays information such as which third party modules were running and what errors and warnings occurred during the monitoring process.

P.T.C.
When you click the P.T.C. button, you’ll see activity that occurred during the monitoring period prior to the crash. This information allows you to see exactly what happened and the order that it happened in right before an exception occurred. You can use this information to determine the cause of the exception. For example, you may notice a service or program starting consistently before a crash, which would indicate that that service is the troublemaker.

Notepad
If you click the Notepad button, the Windows Notepad utility starts and loads the log file in raw format. Much of the information in the raw log file is easy to understand, such as the system information and the DLL file version information. However, most error messages are in hexadecimal format, so you’re usually better off using the other buttons to analyze the log file.

The one really useful thing that you can get out of the Notepad option, however, is a list of exceptions that have occurred and why those exceptions happened. All exceptions are designated with an SXE, as shown in the excerpt below:
>sxe c0000005 /C”.source R:\IIS Exception Monitor\bin\em\config\2416\Access_violation.ecx”
>sxe 0 /C”.source R:\IIS Exception Monitor\bin\em\config\2416\Manual_Trip.ecx”

Sys Info
The Sys Info button allows you to view basic system information. For example, you can view things like the environment, operating system, processor, memory, disk configuration, and which network drives have been mapped. The Sys Info section even tells you which service packs and hotfixes have been applied to the system.

New and Config buttons
The New button allows you to look at a different log file, while the Config button allows you to control the log file viewer’s behavior. For example, you can control things like whether or not the log file is copied to the clipboard, and whether errors found in the log are displayed. You can see the various configuration options in Figure H.

Figure H
The log file viewer’s Config button allows you to control the viewer’s behavior.

Take exception to errors
Figuring out what causes problems on your servers can be maddening. Using IIS Exception Monitor, you’ll have the same tools at your fingertips that Microsoft itself uses to identify problems with IIS. Once you master the tool, you can quickly troubleshoot and solve errors that occur in IIS.