Whether you’re a power user tuning up your own PC or a computer support technician trying to tune up someone else’s, Windows 2000 provides many tools that can help. In this Daily Drill Down, I’ll explain some of the most common uses for the Event Viewer, Task Manager, System Monitor, and alerts, all of which can help you keep the PCs for which you are responsible running well. While this Daily Drill Down focuses on networked PCs, much of the information can also be applied to a standalone PC.
The keys to wringing peak performance out of a machine are:
- Monitoring events and resource usage
- Setting alerts that will warn you of problems if you forget to actively monitor for them
- Employing disk utilities that keep a system error-free and optimized
Most people are familiar with disk utilities such as Disk Defragmenter and ScanDisk, but fewer may have explored the world of event and usage monitoring.
An event is a pretty broad term. It refers to any significant occurrence in Windows, as well as any activities you have set up to audit with an auditing policy. There are three kinds of events: information, warning, and error. They are recorded in one of three log files, depending on the activity: the System log, the Application log, and the Security log. First, we’ll look at the event types:
- Information events are routine. When something happens successfully, such as a logon or a program starting, an information event is recorded.
- Warning events are not necessarily significant, but they might signal a future problem. For example, Windows generates a warning event when disk space or available memory becomes low.
- Error events are significant problems, such as a program failing to start, a program crashing, or a file being unable to open because of corruption.
The event logs contain the following:
- The System log contains events that Windows 2000 system components have logged, such as a failure of a device.
- The Application log contains events from programs. For example, if you try to open a file in Microsoft Word and that file won’t open, an error event appears in the Application log.
- The Security log records such events as successful and unsuccessful system logon and logoff and resource access.
Who decides what constitutes an event? Well, the events that will appear in the System log are predetermined in Windows 2000. The events that will appear in the Application log are determined by the good folks who designed each particular application. And the events that appear in the Security log are determined by a system administrator by using audit policies. (Audit policies are a huge topic all by themselves. For more information, see the TechProGuild Daily Drill Down ”Creating a Windows 2000 audit policy.”)
When looking for performance problems and bottlenecks, you will primarily be interested in the System log and perhaps the Application log as well if you are concerned with a particular program. To view a log, start Event Viewer by choosing Start | Settings | Control Panel. Double-click on Administrative Tools and then double-click on Event Viewer. Just select the log you want to view in the console tree, as shown in Figure A.
|The Windows 2000 Event Viewer lets you monitor application, security, and system events.|
Using Event Viewer, you can also view event logs for remote computers, provided, of course, that you have the correct permissions. In Event Viewer, right-click Event Viewer (Local) in the console tree and choose Connect To Another Computer.
To view the details of a particular event, double-click it. The event details often give you clues as to what is going wrong. For example, in Figure B, you can see that my CD-ROM drive is experiencing timeout errors. From Figure A, you can see that there are a whole slew of ATAPI errors, indicating that it’s an ongoing performance problem on the system. From this, I can guess that my CD-ROM drive is not configured correctly or is not a high-enough speed/quality drive for the tasks I’m asking it to perform.
|The properties of an event shown in Figure A indicate CD-ROM trouble.|
You can filter the event log to display only a certain type of event by choosing View | Filters in the Event Viewer window. You can filter not only by type, but also by event source, user, computer, category, or other criteria.
Whereas Event Viewer tells you what has happened in the past, Task Manager tells you what is happening right now. It provides information about applications and processes running on the system, including what memory and processor resources they are consuming. This can help you identify programs and processes that might be hogging resources to the detriment of other, more important programs that need to run.
A process is a program that performs a specific task. An application can consist of a single process or many processes running simultaneously or consecutively. Task Manager not only lists all applications that are running, but it also breaks them down by process.
To open Task Manager, press [Ctrl][Alt][Delete] and then click Task Manager. To see what applications are running, click the Applications tab. If Task Manager reports a program’s status as Not responding rather than Running, you can shut it down by highlighting the program and clicking the End Task button.
To tell what process an application belongs to, on the Applications tab, right-click the application and choose Go To Process. The process will be highlighted on the Processes tab.
The Processes tab shows you a list of all running processes and their measures. A measure is a statistic about the process, such as how much CPU time and memory it is consuming (see Figure C). You can sort any column by clicking on its column title.
|View processes and their measures on the Processes tab.|
The main thing you need to be concerned about on the Processes tab is the CPU Time. For example, suppose you’re trying to balance workload among several servers in a network. If two or more processes are battling for CPU time on a single server, that’s a good indicator that you could achieve better performance by moving one of them to another server.
On the Performance tab, you can see the CPU and memory usage as graphs, plus some other statistics. Most of the data here has to do with memory:
- The Totals section reports the number of handles, threads, and processes. You already know what a process is. A handle is a variable used to access a device or object; a thread is a unit of execution with a process.
- The Physical Memory section tells you how much physical memory is installed and how much is in use.
- The Commit Charge section deals with virtual memory. Total here is the amount of virtual memory used by all processes. Limit is the amount of virtual memory available without expanding the paging file. Peak is the largest amount of virtual memory used in the session.
- The Kernel Memory section shows the paged (virtual) and nonpaged (physical) pools of memory, in kilobytes, allocated to the operating system.
The kernel is the part of the operating system that manages memory, files, and peripheral devices; remembers the date and time; launches applications; and allocates system resources. Kernel usage can be significant when you’re troubleshooting a problem because you need to know whether it is the operating system itself that’s causing a problem or whether it is a specific application. To view the percentage of processor time the kernel is consuming, choose View | Show Kernel Times. This adds another graph line to the charts—a red one for the kernel (see Figure D). The green line is for user mode; it shows the time spent running threads within applications.
|By setting View to Show Kernel Times, you can monitor application and kernel statistics on the same graph.|
System Monitor is similar to the Performance tab in Task Manager, but it provides much more varied and comprehensive information. You can use System Monitor as a standalone application or to monitor another PC on your network. You can run it as a standalone application (choose Start | Settings | Control Panel, double-click on Administrative Tools, and then double-click on Performance) or as a snap-in to a Microsoft Management Console (MMC).
When you start the Performance application the first time (i.e., System Monitor), a blank graph appears. You must add counters to it to specify what you want to track. A huge assortment of counters are available, so you can track almost any system performance variable that interests you.
Before we dive into the counters, however, let’s get a few terms straight: object, instance, and counter:
- An object in System Monitor is a major component or subsystem, such as a hard disk or a process. There are a fixed number of objects in Windows 2000. These are not the same as Active Directory objects; there is no relation between the two. They just happen to share the same term.
- An instance is just what it sounds like—one instance of a particular type of object. For example, if Hard Disk is an object type and you have two hard disks, you have two instances of that object type.
- A counter is a record of data on an aspect of an object. For example, as you saw with Task Manager, each process object has a counter for CPU time and a counter for memory usage.
System Monitor’s job is to display counters for the objects you specify. If there are multiple instances of an object, you can choose to monitor all instances or just one particular one. You then use the data from these counters to decide whether the system is working satisfactorily or not.
TechProGuild has additional articles on the subjects covered in this section. For more information, see:
- “Understanding NT’s Performance Monitor“
- “Working with Microsoft Windows 2000’s Performance Monitor“
- “Introducing Microsoft Management Console“
Here’s how to add a counter:
- Right-click the Details pane and choose Add Counters. A list of objects appears.
- Choose the object type. The available objects depend on the services and applications installed on your computer.
- Choose All Counters or choose Select Counters From List and then choose individual counters for the object.
- If there are instances of the object, choose All Instances or choose Select Instances From List and then choose the individual instances you want.
- Click Add.
- Click Close to close the Add Counters dialog box. The new counter appears, as shown in Figure E.
You can display a counter as a histogram (bar chart), a report (text/numbers in columns), or a chart (line graph). Histograms are good for simplifying graphs that contain multiple counters. Reports work well for collecting data you want to export into a spreadsheet. Charts are useful for monitoring data over time. You can change the way a counter is displayed by right-clicking it and choosing Properties.
Choosing which counters to use
There are so many counters available in System Monitor that it can be difficult to determine which counter will give you the information you need. Here are some specific counters you might want to use to optimize your system performance:
- Memory: Pages/sec—This displays the number of requested pages that were not immediately available in RAM and had to be read from disk or written to disk to make room for other pages in RAM. A high value here can indicate that you need to add more physical memory to the PC.
- Paging File: % Usage and % Usage Peak (bytes)—If either of these is very high, you might need a larger paging file (virtual memory). The recommended size for a paging file is 1.5 times the amount of physical RAM.
Another way to improve paging file performance is to move it to a different physical disk than the OS. For more information on paging files, read ”Swap files: The truth is out there.”
- Processor: % Processor Time—This shows the percentage of time that the processor is busy executing a non-idle thread. If this value is over 80 percent, the system might benefit from a faster processor.
- Processor: Processor Queue Length—This shows the count of threads currently in the processor queue. This is mostly an issue for servers. A queue that often contains two or more items on a single-processor system can indicate that the system would benefit from having multiple processors.
- PhysicalDisk/LogicalDisk: Disk Transfers/sec—This indicates the number of reads and writes completed per second, and it measures disk utilization. If this value exceeds 50, the system might benefit from a faster hard disk.
- Network Interface: Packets Outbound Discarded—This counter shows whether the network is saturated. If this counter continuously increases, the network buffers cannot keep up with the outbound flow of packets. For a saturated network, consider subnetting or making other changes to reduce network traffic.
The above list only scratches the surface of counter uses. In particular, for network analysis, there are many more ways to monitor performance. But for the individual beginner curious about performance monitoring, this list is a good start.
You can set alerts to notify you when a particular statistic crosses a threshold that you define. They’re like counters, but you don’t have to keep System Monitor running all the time to monitor them. For example, you might set an alert to let you know when disk space used exceeds 80 percent or when the number of failed logon attempts exceeds a specified number.
To set an alert, start in the Performance window (System Monitor) and do the following:
- Double-click Performance Logs And Alerts in the console tree.
- Right-click Alerts and choose New Alert Settings. In the resulting dialog box, type a name for the alert. Click OK.
- A dialog box named for your new alert opens with the General tab displayed. Type a description of the alert setting in the Comment box.
- Click Add to specify objects, counters, instances, and updating information in the Add Counters dialog box.
- After adding the counters, specify properties for the sample interval and alert threshold on the General tab.
- On the Action tab, select Log An Entry In The Application Event Log. You can also specify a network message be sent to the computer that triggered the alert and a program to be opened when an alert is triggered.
- On the Schedule tab, define your start and stop parameters for the log under Start Scan and Stop Scan.
- Click OK. The alert will appear in Performance Monitor under the name and comment you specified.
Depending on how you set up the alert, you can then check for it in a log file and/or wait until you receive a system message indicating that the alert has been triggered.
In this Daily Drill Down, I introduced you to some of the tools in Windows 2000 that you can use for monitoring system performance, with an eye toward troubleshooting and improvement. Each of these tools is quite complex; all I could do is give an overview. But now you should be able to explore the individual tools on your own in more detail, now that you know what’s there.
Do you find a particular System Monitor counter especially helpful in monitoring your PC or other PCs on your network? You can share your favorite counters with other TechProGuild members by adding comments to this Daily Drill Down. Examples include the failure of a driver to load, a program error resulting in abnormal program termination, or an invalid logon attempt at a workstation.The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.