Overview of Performance Monitoring |
Windows 2000 collects data about system resources, such as disks, memory, processors, and network components. In addition, applications and services that you might be running on your system can also perform data collection. By default, the operating system obtains performance data for system resources using the registry.
When you use performance tools to access registry functions for performance data, the system collects the data from the appropriate system object managers, such as the Memory Manager, the input/output (I/O) subsystem, and so forth.
As an option, Windows 2000 supports collecting data using the Windows Management Infrastructure (WMI) interface by means of the following command syntax typed at the Windows command prompt:
perfmon / WMI
In addition to several of the system performance counter DLLs, the operating system installs managed object files (MOFs) for data collection using WMI instead of the registry. These files reside in System32\Wbem\Mof. The Windows Management service must be running on the monitoring and monitored computer (if different) in order to obtain data using WMI.
Windows 2000 defines the performance data it collects in terms of objects, counters, and instances. Think of a performance object as any resource, application, or service that you can measure. The following sections describe these entities in more detail.
By default, Windows 2000 installs numerous performance objects corresponding to hardware or other resources in the system. The following table shows the default performance objects installed by the operating system on a Microsoft® Windows® 2000 Professional installation.
Table 5.1 Windows 2000 Performance Objects
Object name | Description |
---|---|
ACS/RSVP Service | Reports activity of the Quality of Service (QoS) Admission Control Service used to manage the priority use of network resources (bandwidth) at the subnet level. |
Browser | Reports activity of the Browser service in Microsoft® Windows® 2000 Server that lists computers sharing resources in a domain and other domain and workgroup names across the wide area network (WAN). Windows 2000 provides the Browser service for backward compatibility with clients that are running Microsoft® Windows® 95, Microsoft® Windows® 98, Microsoft® Windows® 3.x, and Microsoft® Windows NT®. |
Cache | Reports activity for the file system cache, an area of physical memory that holds recently used data. |
Distributed Transaction Coordinator | Reports statistics about activity of the Microsoft Distributed Transaction Coordinator, a part of Component Services (formerly known as Transaction Server) used to coordinate two-phase transactions by Message Queuing. |
HTTP Indexing Service | Reports statistics regarding queries run by the Indexing service, a service that builds and maintains catalogs of the contents of local and remote disk drives to support powerful document-search capabilities. |
IAS Accounting Clients | Reports activity of the Internet Authentication Service (IAS) as it centrally manages remote client accounting (usage). |
IAS Accounting Servers | Reports activity of the Internet Authentication Service (IAS) as it centrally manages remote server accounting (usage). |
IAS Authentication Clients | Reports activity of the Internet Authentication Service (IAS) as it centrally manages remote client authentication. |
IAS Authentication Servers | Reports activity of the Internet Authentication Service (IAS) as it centrally manages remote server authentication. |
ICMP | Reports the rates at which Internet Control Message Protocol (ICMP) messages are sent and received by using the ICMP protocol, which provides error correction and other packet information. |
Indexing Service | Reports statistics pertaining to the creation of indexes and the merging of indexes by the Indexing service. Indexing service indexes documents and document properties on your disks and stores the information in a catalog. You can use Indexing service to search for documents, either with the Search command on the Start menu or with a Web browser. |
Indexing Service Filter | Reports filtering activity of the Indexing service. Indexing service indexes documents and document properties on your disks and stores the information in a catalog. You can use Indexing service to search for documents, either with the Search command on the Start menu or with a Web browser. |
IP | Reports activity at the Internet Protocol (IP) layer of Transmission Control Protocol/Internet Protocol (TCP/IP). |
Job Object | Reports the accounting and processor usage data collected by each active, named job object. |
Job Object Details | Reports detailed performance information about the active processes that make up a job object. |
Logical Disk | Reports activity and usage of disk partitions and volumes.
Use diskperf -y to enable disk counters and diskperf -n to disable them. To specify the type of counters you want to activate, include d for physical disk drives and v for logical disk drives or storage volumes. When the operating system starts up, it automatically sets the diskperf command with the -yd switch to activate physical disk counters. Type diskperf -yv to activate logical disk counters. For more information about using the diskperf command, type diskperf -? at the command prompt. |
Memory | Reports usage of random access memory (RAM) used to store code and data. |
NBT Connection | Reports the rate at which bytes are sent and received over connections that use the NetBT protocol, which provides NetBIOS support for the TCP/IP protocol between the local computer and a remote computer. |
Network Interface | Reports rates at which bytes and packets are sent and received over a TCP/IP connection by means of the network adapters. Typically the first instance of the Network Interface object (Instance 1) that you see in System Monitor represents the loopback address; however, sometimes the loopback address does not appear. The loopback address is a local path through the protocol driver and the network adapter. All other instances represent installed network adapters (WAN interfaces, remote access modems, and so forth). |
Objects | Reports data about system software objects, such as events, and so on. |
Paging File | Reports usage of the paging file, used to back up virtual memory allocations. |
Physical Disk | Reports usage of hard disks and redundant array of independent disks (RAID) devices. |
Print Queue | Reports statistics for print jobs in the queue of the print server. New for Windows 2000. |
Process | Reports activity of the process, which is a software object that represents a running program. |
Processor | Reports activity of the processor (also called the CPU), the part of your computer hardware that carries out program instructions. |
Redirector | Reports activity for the Redirector file system, which diverts file requests to network servers. |
Server | Reports activity for the Server file system, which responds to file requests from network clients. |
Server Work Queues | Reports the length of queues and objects in the queues for the Server service. |
System | Reports statistics for systemwide counters that track file operations, processor time, and so on. |
TCP | Reports the rates at which TCP segments are sent and received using the Transmission Control Protocol (TCP). |
Telephony | Reports activity for telephony devices and connections. |
Thread | Reports activity for a thread (the part of a process that uses the processor). |
UDP | Reports the rates at which User Datagram Protocol (UDP) datagrams are sent and received using UDP. |
If you are running Windows 2000 Server, Setup automatically installs the Active Server Pages, FTP Service, Internet Information Services Global, and Web Service objects for use with Internet Information Service. In addition, Windows 2000 Server Setup installs the SMTP Server and SMTP NTFS Store Driver objects. Depending on the services you have configured, your system might provide several additional objects, such as the NTDS object, which reports activity of the Active Directory™ directory service, and the DNS object, which reports performance statistics for the Domain Name System (DNS) service. For detailed information about these and other performance objects, see the Windows 2000 Performance Counters Reference on the Microsoft® Windows® 2000 Resource Kit companion CD.
For information about writing applications that install performance objects that can be integrated with the performance tools, see the Software Development Kit (SDK) documentation in the MSDN™ Library at http://windows.microsoft.com/windows2000/reskit/webresources.
Each object has counters that are used to measure various aspects of performance, such as transfer rates for disks or the amount of processor time consumed for processors. Each object has at least one instance, which is a unique copy of a particular object type, though not all object types support multiple instances. This chapter and the following chapters describe objects, counters, and instances using the following syntax:
\\Computer_name\Object(ParentInstance/ObjectInstance#InstanceIndex)\Counter
The Computer_name portion is optional; if you do not include a computer name, the default is the local computer.
Note that the syntax includes a parent instance, object instance, and an instance index. This applies, for example, if the object has multiple instances and these instances might be identifiable by name or number, as defined by the counter developer. (Typically, internal system counters use numeric instance indexes.)
For example, if you are monitoring threads of the Microsoft Windows Explorer process, track the Windows Explorer instance of the Thread object (Windows Explorer would be the parent instance), and then each thread running Windows Explorer (these threads are child instances). The instance index allows you to track these child instances. The instance index for the thread you want might be 0, 1, and so on, for each thread, preceded by the number sign (#). The operating system configures System Monitor properties to display duplicate instances by default. Instance index 0 is hidden; numbering of additional instances starts with 1. You cannot monitor multiple instances of the same process unless you display instance indexes.
An instance called _Total is available on most objects, and represents a sum of the values for all instances of the object for a specific counter.
Depending on the tools used, you can configure data collection to occur almost immediately or according to a predefined schedule. Performance data reported is sampled, meaning that data is collected periodically rather than traced, whereby data is obtained as events occur. This collection method has the advantage of keeping overhead low, but it might occasionally overestimate or underestimate values when activity falls outside the sampling interval.
If you want more precise performance data, use event tracing, a new capability in Windows 2000. Event tracing can measure activity as it happens, eliminating the inaccuracies of sampling and making it possible to correlate resource usage such as page faults, disk input/output (I/O), and processor time with workload that can include threads, processes, or transactions. This capability supplements counter-based monitoring methods. You can configure trace logs for providers you have or for the built-in system provider that runs traces for the Windows kernel provider using trace logs in Performance Logs and Alerts. Because running trace logs of page faults and file I/O data incurs some performance overhead, log this data only for brief periods. Note that an additional program is required to parse the log output into readable form. Developers can create such a tool using APIs provided in the Platform Software Development Kit.
For information about writing a trace provider, see the Platform Software Development Kit (SDK) documentation in the MSDN Library at http://windows.microsoft.com/windows2000/reskit/webresources.
Depending on how a counter is defined, its values might be reported in one of the following ways:
For averaging counters, the sampling method can result in a slight delay in displaying values as data is collected and computed. In addition, after a single large value is reported, causing spikes in a performance graph, averaging counter values can be artificially high for a while until the average starts to reflect more recent steady-state activity.
Windows 2000 supports other types of counters, such as percentage, difference, and text. Difference counters display the change in value between the last two measurements. By default, counters that display their values as percentages cannot exceed 100 percent.
For information about the preceding generic counter types and their specific subtypes, see the Windows 2000 Performance Counter Reference (Counters.chm) on the Windows 2000 Resource Kit companion CD.