Microsoft Windows XP Professional Administrators Guide

Once the initial configuration of Windows XP Professional is complete, administrators need to continue to monitor the computer to ensure that it is operating efficiently. Monitoring includes tracking the computer's use of system resources to look for changes in performance or usage trends. The information gathered while monitoring provides administrators with the information they need to proactively forecast future system bottlenecks and to anticipate future hardware requirements. Monitoring is also a key tool used by administrators in troubleshooting performance problems.

Windows XP Professional provides administrators with several utilities for monitoring system activity and resources. These utilities include:

• Task Manager. A utility that provides a real-time snapshot of application, process and user performance as well as a graphic overview of system and network performance

• System Monitor. An MMC (Microsoft Management Console) snap-in that collects and displays real-time performance data, including disk, memory, processor, and network measurements in a graphic report of histogram format

• Performance Logs and Alerts. An MMC snap-in that stores performance data and establishes alerts that notify you when monitored resources exceed preset thresholds

Each of these utilities is examined in detail throughout the rest of this chapter.

Task Manager

Windows XP Task Manager utility provides administrators with a tool for monitoring computer performance. Performance data is organized into five property sheets, each of which focuses on a different set of resources. These property sheets include:

• Applications. Displays real-time application data and provides the ability to terminate nonresponsive applications or applications that are suspected of hampering performance

• Processes. Displays information regarding all active processes, including their processor and memory usage, and provides the ability to terminate processes that are consuming excessive system resources

• Performance. Displays a graphic view of overall system performance, including processor and page file usage and a detailed measurement of memory consumption

• Networking. Displays a graphic view of the computer's network connections and provides information about each type of connection, including its utilization, speed, and state

• Users. Displays a list of active users and provides the ability to forcefully disconnect or log off each user or send them a text message

Task Manager can be started using either of the following methods:

• Press and hold the Ctrl+Alt+Delete keys simultaneously.

• Right-click on the Windows XP taskbar and select Task Manager.

Once active, the Task Manager displays an icon in the taskbar notification area that provides a graphic view of processor usage, mirroring the CPU usage graphic located on the Performance property sheet. Double-clicking on this icon displays the Task Manager. By default, Task Manager prevents other applications from overlaying its display. Right-clicking on its icon in the taskbar's notification area and clearing the Always on top option will alter this behavior.

Using Task Manager to Control Applications

The Task Manager's Applications property sheet, shown in Figure 13.12, displays a list of applications and shows their current status. An application's normal status should be running. However, sometimes applications cease operation and yet remain in the system. The status of these applications is listed as nonresponsive. Any memory assigned to a nonresponsive application remains unavailable until the application is stopped. Administrators can forcefully terminate an application using the Task Manager by selecting the application and clicking on End Task. Terminating an application has the following effects:

Figure 13.12: Using Task Manager to monitor and manage active application activity

• The application ends.

• Any memory resources allocated to the application are freed up for reuse.

• Any unsaved application data is lost.

Using Task Manager to Control Processes

The Task Manager's Processes property sheet, shown in Figure 13.13, displays a list of active processes. A process is an application that runs in a protected memory area. Certain Windows XP services run as processes. In addition, applications run as one or more processes. The Processes property sheet also displays the context under which the processes are started. In addition, the amount of processor capacity currently consumed by the process and its total memory allocation is displayed. The display can be sorted by any category by clicking on column headings. Clicking on a particular column heading a second time reverses sort order.

Figure 13.13: Using the Task Manager to examine active processes

There are 21 other categories of information that can be displayed by selecting the Select Columns option on the View menu. The priority assigned to any process can be changed by clicking on View and then selecting Update Speed and selecting from one of the following options:

• High

• Normal

• Low

• Paused

Noncritical system processes can be terminated by selecting the process and clicking on End Process. A warning message is then displayed. Click on Yes to stop the selected process. Windows XP will not permit the termination of critical system processes. Termination of noncritical processes can result in loss of data or application instability and should be used only with caution. By default, the Processes property sheet only displays processes that relate to the currently logged-on user's context. However, by selecting the Show processes from all users option at the bottom of the property sheet, every currently active process can be monitored.

Using Task Manager to Monitor Overall System Performance

The Task Manager's Performance property sheet, shown in Figure 13.14, displays a historical graphic representation of processor and page file or virtual memory performance. In addition, the lower half of the property sheet is organized into the following categories:

Figure 13.14: Using the Task Manager to monitor system performance and view detailed memory statistics

• Totals. Displays the total number of active handles, threads, and processes currently running on the computer

• Physical Memory (K). Displays the amount of physical memory installed on the computer as well as the amount of memory currently available and allocated to System Cache

• Commit Charge (K). Displays information about virtual memory use

• Kernel Memory (K). Displays information about the amount of memory used by Windows XP to perform its operations

Administrators can use the information provided by the Performance property sheet to get a quick view of the overall performance of the computer. If system activity is inappropriately high, look for a problem with an application or process. If no one application or process is causing the problem, double-check the computer's performance settings.

Using Task Manager to Monitor Network Performance

The Task Manager's Networking property sheet, shown in Figure 13.15, displays a historical graphic representation of the computer's network activity. This property sheet is displayed only if the computer has a network adapter.

Figure 13.15: Using the Task Manager to examine network statistics

The main display area automatically presents a graphical view of the computer's network utilization. The lower portion of the Networking property sheets displays an entry for each network adapter installed on the computer. In addition, the percentage of network utilization, link speed, and connection status are displayed. By examining this property sheet, administrators can quickly determine the amount of processing load that the computer is experiencing for each of its network connections.

The System Monitor

The System Monitor is a snap-in that executes inside an MMC. Unlike the Task Manager, the System Monitor snap-in can collect and display performance data for both local and remote network computers. To use the System Monitor snap-in, the following information is required:

• The name or IP address of the computer to be monitored

• The objects on each computer that are to be tracked

• The counters to be tracked for each object

• The instances to be monitored

The System Monitor views the operating system as a collection of objects. Examples of objects include:

• Processor

• Memory

• Physical disk

• Paging file

The System Monitor snap-in then collects performance data about each specified object based on the counters that have been established for that object. Counters are metrics or unique units of measurement that describe some aspect of an object's performance. For example, one of the counters available for the memory object is the Available Bytes counter, which collects data regarding how much physical memory is available at any moment.

Depending on the hardware configuration of the computer, there may be many cases in which there are two or more instances of the same type of object. For example, a computer may have more than one processor or hard disk drive, in which case performance data can be collected for all processors and drives or for just a particular instance.

The System Monitor snap-in provides a collection of over 30 objects that can be monitored, each of which may have dozens of counters available. This makes this tool more powerful than the Task Manager, because of its ability to break down performance data into discrete objects, counters, and instances, as well as its ability to monitor both the local and network computers. However, more setup is required, making the Task Manager a better tool to use when the administrator just wants a quick high-level look at the overall performance of the local computer.

Windows XP Professional comes equipped with a preset collection of MMC consoles. The Performance Console already contains the System Monitor snap-in. In addition, this snap-in can easily be added to new custom consoles. Its operation is the same regardless of the console that contains it.

The following procedure outlines the steps involved in starting the Performance Console and using it to monitor either a local or remote network computer.

1. Click on Start and then Control Panel. The Windows XP Control appears.

2. Click on the Performance and Maintenance icon. The Performance and Maintenance folder appears.

3. Click on Administrative tools. A list of predefined MMC consoles is displayed.

4. Double-click on the Performance icon to open the Performance console, as shown in Figure 13.16.

   Figure 13.16: The Performance console provides access to both the System Monitor and the Performance Logs and Alerts snap-ins

5. The Performance console contains the following snap-ins:

   • System Monitor

   • Performance Logs and Alerts

   By default, the System Monitor snap-in is displayed. In addition, three default counters are automatically loaded for the local computer. These are:

   • Pages/sec

   • Avg. Disk Queue Length

   • % Processor Time

   Each counter is assigned a different color, which is used to display a graphic representation of its performance activity.

6. To remove one of the default counters, select it and click on the black X icon just above the main display area.

7. To add a new counter, click on the + icon just to the left of the X icon. The Add Counters dialog appears, as shown in Figure 13.17.

   Figure 13.17: Adding new counters

8. At the top of this dialog, select one of the following options:

   • Use local computer counters. Select this option to monitor the local computer.

   • Select counters from computer. Select this option to monitor a network computer.

   If the second option is selected, type the network computer's name or IP address into the field provided.

9. Select the performance object to be monitored from the Performance object drop-down list. A list of all of the counters that apply to the selected object is displayed.

10. Select the All counters option to monitor every available counter for the specified object, or select the Select counters from list option, and select a specific counter.

11. If more than one instance of the selected object exists, select either the All instances option to monitor every instance or select the Select instances from list option and pick a specific instance.

12. Click on Explain to see an explanation of the currently selected counter.

13. Click on Add to add the counter. The Add Counters dialog remains open, allowing the selection of other computers, objects, counters, and instances.

14. Click on Close when done specifying monitoring criteria.

The System Monitor snap-in provides three views for examining captured data. These are:

• View Graph. Displays a rolling graph of activity

• View Histogram. Displays data in the form of a bar chart

• View Report. Displays data in report format

The default display setting is View Graph. To change the view, click on one of the three icons to the left of the + icon above the main graphic display area.

Performance Logs and Alerts

The Performance Logs and Alerts snap-in, shown in Figure 13.18, can be found in either of the following MMCs:

Figure 13.18: The Performance Logs and Alerts snap-in allows administrators to store performance data in logs and to create alerts when predefined thresholds are exceeded

• The Performance Console

• The Computer Management Console

Administrators use the Performance Logs and Alerts snap-in to create performance logs and troubleshooting logs, as well as to create alerts that notify administrators when a specified event occurs on a computer.

The Performance Logs and Alerts snap-in organizes logs and alerts into the following categories:

• Counter Logs. Collects data for specified computers, objects, counters, and instances at predefined intervals

• Trace Logs. Collects data whenever the threshold for specified computers, objects, counters, and instances is exceeded

• Alerts. Performs a predefined set of actions whenever the threshold for specified computers, objects, counters, and instances is exceeded

Creating Alerts

Administrators can configure any number of alerts, each of which will be stored under the Alerts entry in the Performance Logs and Alerts tree. An alert consists of three types of information, as shown below.

• General. Specifies the computers, objects, counters, instances, and thresholds on which to alert, as well as the data collection interval and the user account to be used when collecting performance data.

• Action. Specifies the actions to be taken when an alert occurs. Available options include logging event, sending a message, starting a performance log, and running a program or script.

• Schedule. Specifies the schedule for stopping and starting the collection of performance data.

The following procedure outlines the steps involved in setting up a new alert.

1. Click on Start and then Control Panel. The Windows XP Control Panel appears.

2. Click on the Performance and Maintenance icon. The Performance and Maintenance folder appears.

3. Click on Administrative tools. A list of predefined MMC consoles is displayed.

4. Double-click on the Performance icon to open the Performance console.

5. Expand the Performance Logs and Alerts snap-in.

6. Select the Alerts category to see a list of all currently defined alerts.

7. To add a new alert, right-click on Alerts and select New Alert Settings. The New Alert Settings dialog appears. Type a name for the new alert that describes its purpose and click on OK, as demonstrated in Figure 13.19.

   Figure 13.19: Type a name for the new alert

8. The dialog shown in Figure 13.20 appears.

   Figure 13.20: Alert settings are stored on three property sheets

   Type a descriptive comment in the comment field that explains the reason for creating the alert and then click on Add. This opens the Add Counters dialog, which is the same dialog used to specify System Monitor counters. Specify as many counters as required and click on OK.

9. An entry for each counter that is added appears in the Counter section. Select each counter and set values for the following fields, as demonstrated in Figure 13.21.

   Figure 13.21: Creating an alert that reports on when a hard drive begins to fill up

   • Alert when the value is. Specify either under or over.

   • Limit. Specify a numeric threshold.

   • Interval. Specify the interval to be used to collect performance data.

   • Units. Specify seconds, minutes, hours, or days.

   • Run As. The name of a user account to be used when collecting performance data.

   • Password. Specify the password associated with the specified user account.

10. Select the Action property sheet and fill out any required fields, as shown in Figure 13.22.

    Figure 13.22: Specify what actions are performed when a counter's threshold specified in an alert is exceeded

11. Select the Schedule property sheet to specify Start scan and Stop scan options, as shown in Figure 13.23.

    Figure 13.23: Determine when the alert starts and stops execution

12. Click on OK. An entry for the alert appears in the Performance console under the Alerts category. To modify alert settings, right-click on the alert and select Properties. To manually stop and start the alert, right-click on the alert and select Start or Stop.

Configuring Logs

Logs are used to store performance data for later review and analysis. They can be used to study computer performance over time and to look for bottlenecks and changes in computer usage and to help forecast the need for new hardware. Once created, logs can be viewed by double-clicking on them, which automatically opens them using the System Monitor. In addition, logs can be manually started and stopped by right-clicking on them and selecting Start or Stop.

The following procedure outlines the steps involved in configuring a new counter log.

1. Click on Start and then Control Panel. The Windows XP Control Panel appears.

2. Click on the Performance and Maintenance icon. The Performance and Maintenance folder appears.

3. Click on Administrative tools. A list of predefined MMC consoles is displayed.

4. Double-click on the Performance icon to open the Performance console.

5. Expand the Performance Logs and Alerts snap-in.

6. Right-click on the Counter Logs and select New Log Settings. The New Log Settings dialog box appears.

7. Type a descriptive name for the Counter log and click on OK.

8. A new dialog appears containing the following property sheets.

   • General. Allows for the specification of objects and counters, a polling interval, and the ability to specify a user account and password that will be used during execution

   • Log Files. Allows for specification of log file name and format

   • Schedule. Specifies the schedule for stopping and starting the collection of performance data

   Select the General property sheet.

9. Click on Add Objects. The Add Objects dialog appears. Select as many objects and counters as desired and click on Close.

10. The current log file name field should not display the location where the log will be stored. The Counters section will display a list of all specified counters.

11. Set the interval during which data is to be collected. The default value is 15. Specify the units of time. Valid options are seconds, minutes, hours, and days.

12. Optionally, specify a user account to be used when processing the log and specify its password. This will allow the log to run even when no one is logged on to the computer.

13. Select the Log Files property sheet, as shown in Figure 13.24.

    Figure 13.24: Specify log file type, version information, and a comment

14. Select the type of log to be created. Available options include:

    • Text File (Comma delimited). A log format appropriate for migrating the log's data into other applications such as Excel or Microsoft Access

    • Text File (Tab delimited). A log format appropriate for migrating the log's data into other applications such as Excel or Microsoft Access

    • Binary File. The default log type used to stored logs that can be viewed using the System Monitor snap-in

    • Binary Circular File. A log format that allows existing log contents to be overridden as necessary

    • SQL Database. A log format appropriate for migrating the log's data into a SQL database

15. Click on Configure. The Configure Log Files dialog appears.

16. Specify the location where the log will be stored, its file name, and its file size and then click on OK to close the Configure Log Files dialog.

17. Optionally, specify a suffix format that will be used to automatically name the log file.

18. Optionally, type a comment describing the purpose of the log.

19. Click on the Schedule property sheet to set the log file execution schedule, as shown in Figure 13.25.

    Figure 13.25: Setting the log file execution schedule

20. Available options include manually starting and stopping the log file, setting a start and stop date and time, and specifying what to do when the log file is closed. Available options are:

    • Start a new log file

    • Run this command

21. Set the appropriate start options and click on OK.

Key Performance Metrics

One of the most difficult things about working with the System Monitor and Performance Logs and Alerts snap-ins is wading through the vast collection of objects and counters to find the ones that will accurately assist administrators in measuring and monitoring system performance. While administrators can use these tools to track and monitor extremely specific aspects of computer performance, a good overall view of critical system resources can be achieved using just a small number of objects and counters. Some of these objects and their counters are listed in Table 13.2.

Each of these objects and counters is further explained in the sections that follow.

Monitoring CPU Performance

An overburdened processor can create a bottleneck and slow down computer performance. However, many things affect processor performance, including memory, disk, and hardware problems, all of which may create the false indication that the computer's processor is creating a performance bottleneck. For example, when a computer does not have enough physical memory, it must use more virtual memory. Since the processor must manage this activity, a low memory condition may overwork the processor. In addition, a fragmented hard disk may also overwork the processor. Therefore, it is important to examine both memory and disk counters to be sure that problems with other system resources are not creating the false impression that the computer's processor is the source of the bottleneck.

The following list of objects and counters is helpful in monitoring processor performance.

• Examine the processor object's % Processor Time counter. If it is constantly running at 100 percent, the processor is very busy. However, as long as the Processor Queue Length counter is less than 2, the processor is keeping up with the current workload.

• Examine the system object's Processor Queue Length counter. If the processor is running at 100 percent and this counter shows a consistent value of 2 or more, the processor is not keeping up with the computer's workload.

• Examine the processor object's Interrupts/sec counter to determine if a hardware device is sending excessive hardware interrupts to the processor. Excessive hardware interrupts usually indicate a problem with the hardware device.

• Examine the memory object's Pages/sec counter to determine if excessive use of virtual memory is placing a burden on both the hard disk drive and the processor.

If the processor is the source of a performance bottleneck, administrators can do several things to improve performance, including:

• Replacing the current processor with a faster processor.

• Adding a second processor if the computer's motherboard supports two processors. Windows XP Professional supports up to two processors.

• Moving some of the computer's workload over to a different computer.

• Disabling unnecessary background system processes and applications.

Monitoring Memory Performance

An adequate supply of physical memory is usually a computer's most important resource. Low memory leads to excessive reliance on virtual memory, which places a burden on the hard drive and on the processor. Use the following memory object counters to monitor memory performance.

• Pages/sec. A constant value of 20 or more pages per second indicates that the system is paging too much data into and out of virtual memory, thus causing a performance bottleneck.

• Available Bytes. This metric indicates the amount of physical memory that is available for applications. Anything under 4MB indicates a low memory condition.

If memory is determined to be the source of a performance bottleneck, administrators can do several things to improve performance, including:

• Adding additional memory

• Moving some of the computer's workload over to a different computer

• Disabling unnecessary background system processes and applications

Monitoring Disk Drive Performance

As hard disk drives become fragmented or fill up, their performance begins to slow and can have a significant impact on the operation of the computer. Windows XP Professional provides two objects for tracking hard disk performance, which are:

• Physical Disk. Represents all disk activity for an entire disk drive

• Logical Disk. Represents disk activity for a particular volume on a disk drive

Use the following physical and logical disk object counters to monitor hard disk performance.

• % Disk Time. This counter indicates how busy the physical or logical disk is. A value of 100 percent indicates that the disk is performing at peak capacity.

• Current Disk Queue Length. This counter indicates how many disk read or write requests are waiting to be processed. If this value exceeds 2, then the disk drive is not keeping up with its workload.

If hard disk performance is determined to be the source of a performance bottleneck, administrators can do several things to improve performance, including:

• Replacing the current hard disk with a faster hard disk

• Adding a second disk drive and moving the pagefile.sys file over to it

• Adding additional disk drives and using them to spread out virtual memory and overall disk workload

• Moving some of the computer's workload over to a different computer