Archive

Posts Tagged ‘Performance’

Performance Tuning your Windows Server (Part 4)

May 2, 2010 6 comments

This is the 4th part of a series of posts I’ll be describing several settings and parameters that can be tuned to optimize your server performance. I hope you’ll find them useful and help you improve your servers performance.

Note: As with all changes, you should implement the following suggestions one at a time and verify that there was a performance improvement. If system performance decreases after making a change, you should reverse the change.

 

Networking

Windows servers often have more network services and protocols Networkinginstalled than are actually required. Each additional network client, service or protocol places additional overhead on system resources. In addition, each protocol generates network traffic. By removing unnecessary network clients, services and protocols, system resources are made available for other processes.

On a system supporting more than one network protocol, the order in which they are bound to the network clients and services running on the server is important. All network communications for a given service or client start with the protocol listed at the top of the binding list. If after a given period, no response is received, communications are routed to the next protocol in the list until all protocols are exhausted. As a result it is crucial to ensure the most frequently used protocol for a given client or service is moved to the top of the binding list to offer the best network I/O performance possible.

To view the order of network bindings, Open the Network Connections applet from the Control Panel, and from the menu bar, click Advanced → Advanced Settings.

By selecting a protocol and clicking the up and down buttons, you can change the binding priority of your protocols. If an installed protocol is not required by a particular service or client, it should be disabled.Do so by removing the tick in the check box beside the protocol in question. This will improve system performance and possibly improve security.

 

Disable Chimney and Offload features

Network Interface Card

TCP Offload Engine is an emerging technology which is designed to offload TCP stack handling from the main system CPU to a processor built into NIC cards. This technology is still relatively new, and when engaged, has been known to cause unstable connections. This results in dropped sockets, dropped packets, packet reordering and packet retransmits.

To disable the TCP Chimney Offload features:

1. Install the KB948496 update that turns off default SNP features

2. Run the following command at the command prompt:

netsh int ip set chimney DISABLED

 

3. Set the registry values as described below, or use the Microsoft Fix it #50051

Disable TCP Chimney:

Key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value:

EnableTCPChimney

Set to:

0x0 (0)

 

Disable Receive Side Scaling:

Key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value:

EnableRSS

Set to:

0x0 (0)

 

Disable TCP Window Auto-Tuning:

Key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value:

EnableTCPA

Set to:

0x0 (0)

 

4. Open Network Connections, locate each connection to see its properties and click Configure  → Advanced. Look for one or more entries as listed below (or similar, it depends on the manufacturer) and verify they are set to Off / Disabled / False:

  • TCP/IP Offload
  • Checksum Offload
  • IPv4 Checksum Offload
  • Large Send Offload (IPv4)
  • Large Send Offload

 

Harmful code detection (Antivirus) exclude settings:

Antivirus

Important: This section contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, you should evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Exclude the Windows Update or Automatic Update database file:

Folder Path:

%windir%\SoftwareDistribution\Datastore

Files Mask:

Datastore.edb

 

Exclude the Windows Update or Automatic Update log files:

Folder Path:

%windir%\SoftwareDistribution\Datastore\Logs

Files Mask:

Res*.log, Res*.jrs, Edb.chk, Tmp.edb

 

Exclude the Windows Security files:

Folder Path:

%windir%\Security\Database

Files Mask:

*.edb, *.sdb, *.log, *.chk, *.jrs

Note: If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

Exclude the Group Policy user registry information:

Folder Path:

%allusersprofile%\

Files Mask:

NTUser.pol

 

Exclude the Group Policy client settings file:

Folder Path:

%Systemroot%\System32\GroupPolicy\

Files Mask:

Registry.pol

 

Exclude the Active Directory and Active Directory main NTDS database files:

Folder Path:

%windir%\Ntds

Files Mask:

Ntds.dit, Ntds.pat

 

Exclude the Active Directory transaction log files:

Folder Path:

%windir%\Ntds

Files Mask:

EDB*.log, Res*.log, Res*.jrs

 

Exclude the files in the NTDS Working folder:

Folder Path:

Specified in the registry value: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

Files Mask:

Temp.edb, Edb.chk

 

Exclude the Database Log files and other files in the File Replication Service (FRS) Working folder:

Folder Path:

%windir%\Ntfrs

Files Mask:

edb.chk, Ntfrs.jdb, *.log

 

Drivers, Firmware and Service Packs:

Drivers, Firmware and Service Packs Use the latest drivers, firmware, and service packs.
Installing the latest version of a device driver, patch, BIOS update, microcode, or firmware revision for hardware is a very important part of routine server maintenance. Newer device drivers not only fix bugs and increase system stability, but can also increase the performance and efficiency of a device, improving overall system performance.
Microsoft periodically issues service packs and hot fixes for their operating systems. After a period of testing in your environment, these should be deployed to production systems.
Service packs and hot fixes often introduce updated code to key kernel and sub-system components of the operating system and can add extra performance and functionality benefits.

Performance Tuning your Windows Server (Part 3)

April 5, 2010 5 comments

This is the 3rd part of a series of posts I’ll be describing several settings and parameters that can be tuned to optimize your server performance. I hope you’ll find them useful and help you improve your servers performance.

Note: As with all changes, you should implement the following suggestions one at a time and verify that there was a performance improvement. If system performance decreases after making a change, you should reverse the change.

 

Registry optimizations

Note that several of the memory specific tuning parameters listed here hold relevance only for the 32-bit (x86) versions of the Windows Server 2003 operating system. They are no longer valid for the 64-bit (x64) editions given the greatly expanded memory architecture.

 

registry As with all changes, ensure you have a working and tested backup of the registry and entire server before making the change. Changes should be made and tested only one at a time. If system performance is negatively affected by making such a change, it should be reversed immediately.

 

Memory registry optimizations:

AdditionalDelayedWorkerThreads

At system startup, Windows creates several server threads that operate as part of the System process. These are called system worker threads. They exist with the sole purpose of performing work on the behalf of other threads generated by the kernel, system device drivers, the system executive and other components. When one of these components puts a work item in a queue, a thread is assigned to process it.

The number of system worker threads should ideally be high enough to accept work tasks as soon as they become assigned. The trade off, of course, is that worker threads sitting idle consume system resources unnecessarily.

The AdditionalDelayedWorkerThreads value increases the number of delayed worker threads created for the specified work queue. Delayed worker threads process work items that are not considered time-critical and can have their memory stack paged out while waiting for work items. An insufficient number of threads will reduce the rate at which work items are serviced; a value that is too high will consume system resources unnecessarily.

Key:

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Executive

Value:

AdditionalDelayedWorkerThreads

Recommended value:

0x10 (16)

 

AdditionalCriticalWorkerThreads

The AdditionalCriticalWorkerThreads value increases the number of critical worker threads created for a specified work queue. Critical worker threads process time-critical work items and have their stack present in physical memory at all times. An insufficient number of threads will reduce the rate at which time-critical work items are serviced; a value that is too high will consume system resources unnecessarily.

Key:

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Executive

Value:

AdditionalCriticalWorkerThreads

Recommended value:

0x10 (16)

 

PagedPoolSize

Windows allocates memory in pools for the operating system and its components, which processes access through the use of kernel mode. Two pools of kernel mode memory exist: The paged pool (which can be paged to the pagefile) and the non-paged pool (which can never be paged).

Performance and system stability can be seriously impacted if Windows experiences memory resource constraints and is unable to assign memory to these pools. The amount of physical memory assigned to these two pools is assigned dynamically at system boot time.

Some applications and workloads can demand more pooled memory than the system has been allocated by default. Setting the PagedPoolSize registry value as listed below can assist in ensuring sufficient pooled memory is available.

Key:

HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement

Value:

PagedPoolSize

Recommended value:

0xFFFFFFFF

With this value, Windows will calculate the maximum paged pool allowed for the system. For 32-bit systems, this is 491 MB. This setting is typically used for servers that are attempting to cache a very large number of frequently used small files, some number of very large size files, or both. In these cases, the file cache that relies on the paged pool to manage its caching it able to cache more files (and for longer periods of time) if more paged pool is available.

Caution: The 0xFFFFFFFF PagedPoolSize setting is not recommended for use on 32-bit Windows Server 2003-based computers that have 64GB of RAM. This will potentially bring the Free System PTE entry down and can cause continuous reboot of the computer.

 

PoolUsageMaximum

By default, the Memory Manager tries to trim allocated paged pool memory when the system reaches 80 percent of the total paged pool. By tuning the Memory Manager to start the trimming process earlier, it would be possible to keep up with the paged pool demand during sudden peak usage, and avoid running out of paged pool memory.

Key:

HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement

Value:

PoolUsageMaximum

Recommended value:

0x3C (60)

Setting the value at 60 informs the Memory Manager to start the trimming process at 60 percent of PagedPoolMax rather than the default setting of 80 percent. If a threshold of 60 percent is not enough to handle spikes in activity, reduce this setting to 50 percent or 40 percent.

 

SystemPages

SystemPages defines the number of system page table entries (PTEs) that are reserved for mapping I/O buffers and other information into the system address space. Each system page table entry maps one page.

Key:

HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement

Value:

SystemPages

Recommended value:

0x0

Setting the value at 0 informs the Memory Manager to calculate an optimal number of page table entries based on the platform type and the amount of memory available to the system. The system adjusts this value if the amount of memory changes.

 

DontVerifyRandomDrivers

The driver verifier at random intervals verifies drivers for debugging randomly. Disabling this functionality might improve system performance.

Key:

HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement

Value:

DontVerifyRandomDrivers

Recommended value:

0x1

 

 

File system registry optimizations

NtfsMftZoneReservation

Add the NtfsMftZoneReservation entry to the registry to allow the master file table (MFT) to grow optimally. When you add this entry to the registry, the system reserves space on the volume for the master file table. If your NTFS volumes contain relatively few large files, set the value of this registry entry to 1 (the default). Typically you can set this entry to a value of 2 or 3 for volumes that contain a moderate numbers of files, and use a value of 4 (the maximum) if your volumes tend to contain a relatively large number of files.

Key:

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

Value:

NtfsMftZoneReservation

Recommended value:

1 if volumes typically store fewer files.

2 or 3 if volumes typically store a moderate number of files.

4 if volumes typically store a large number of files.

Important: Test any settings greater than 2, because setting this entry to a value greater than 2 will cause the system to reserve a much larger portion of the disk for the master file table.

 

MaxWorkItems, MaxMpxCt, MaxCmds

The maximum number of concurrent outstanding network requests between a Windows Server Message Block (SMB) client and server is determined when a session between the client and server is negotiated. The maximum value negotiated is determined by registry settings on both the client and server. If these values are set too low on the server, they can restrict the number of client sessions that can be established with the server.

The values that can be adjusted to improve system performance for work items exist in the LanmanServer and LanmanWorkstation registry keys and are MaxWorkItems, MaxMpxCt and MaxCmds

The MaxWorkItems value specifies the maximum number of receive buffers, or work items, the Server service is permitted to allocate at one time. If this limit is reached, then the transport must initiate flow control, which can significantly reduce performance.

Key:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Value:

MaxWorkItems

Recommended value:

8192

Note: The MaxWorkItems value must be at least four times as large as the MaxMpxCt value

 

The MaxMpxCt value enforces the maximum number of simultaneous outstanding requests from a particular client to a server. During negotiation of a Server Message Block between the client and the server, this value is passed to the client’s redirector where the limit on outstanding requests is enforced. A higher value can increase server performance but requires more use of server work items (MaxWorkItems).

Key:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Value:

MaxMpxCt

Recommended value:

2048

Note: The MaxWorkItems value must be at least four times as large as the MaxMpxCt value.

 

The MaxCmds value specifies the maximum number of network control blocks the redirector can reserve. The value of this entry coincides with the number of execution threads that can be outstanding simultaneously. Increasing this value will improve network throughput, especially if you are running applications that perform more than 15 operations simultaneously. This value is set on the SMB client computer.

Key:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

Value:

MaxCmds

Recommended value:

2048

Note: Start with the default or recommended values for these registry keys, and increase the value in small increments as needed. The more outstanding connections that exist, the more memory resources will be used by the server. If you set the values too high, the server could run out of resources such as paged pool memory.

 

NTFSDisable8dot3NameCreation

When a long file name is created using the Windows NTFS file system, the default behavior is to generate a corresponding short file name in the older 8.3 DOS file name convention for compatibility with older operating systems. This functionality can be disabled through a registry entry, offering a performance increase.

Key:

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

Value:

NTFSDisable8dot3NameCreation

Recommended value:

1

 

NTFSDisableLastAccessUpdate

Each file and folder on an NTFS volume includes an attribute called Last Access Time. This attribute shows when the file or folder was last accessed, such as when a user performs a folder listing, adds files to a folder, reads a file, or makes changes to a file. Maintaining this information creates performance overhead for the file system especially in environments where a large number of files and directories are accessed quickly and in a short period of time, for example when using the BizTalk File Adapter. Apart from in highly secure environments, retaining this information might add a burden to a server that can be avoided by updating the following registry key:

Key:

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

Value:

NTFSDisableLastAccessUpdate

Recommended value:

1

 

Maximize data throughput for network applications

If Windows Server is configured to optimize data throughput for network applications, the working set applications will have a priority over the working set of the file system cache. This setting is normally the best setting to use for all servers except dedicated file servers or with applications exhibiting file server-like characteristics.

To optimize data throughput for network applications set the following registry entries:

Key:

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

Value:

Size

Recommended value:

3

Key:

HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement

Value:

LargeSystemCache

Recommended value:

0

 

Related reading:

Performance Tuning your Windows Server (Part 2)

April 4, 2010 4 comments

This is the 2nd part of a series of posts I’ll be describing several settings and parameters that can be tuned to optimize your server performance. I hope you’ll find them useful and help you improve your servers performance.

Note: As with all changes, you should implement the following suggestions one at a time and verify that there was a performance improvement. If system performance decreases after making a change, you should reverse the change.

 

Unnecessary Services

Unnecessary ServicesWhen Windows is first installed, many services are enabled that might not be necessary for a particular server. Each service requires system resources and as a result is best to disable unnecessary services to improve performance. All services that are not required to be running on the server should be stopped and disabled. This will prevent the service from automatically starting at system boot time.

Note: Unless you are completely certain of the purpose of a given service it is recommended to research it further before choosing to disable it.

For example, the Print Spooler service is enabled by default but is not usually required if the server is not functioning as a print server or does not have local printing requirements.

But don’t disable the Spooler on your Domain Controllers. Printers which are advertised in Active Directory are monitored periodically by the DCs which have the spooler service enabled and running that they actually exist on the associated print server(s). If and when printers are found which do not exist on a print server, the spooler service will remove the associated object from AD. Thus, if all spooler services (on DCs) are disabled, print queues advertised in AD will need to be manually managed. See http://support.microsoft.com/kb/246269/ for more details.

The table below lists a few services on a standard Windows Server 2003 installation that should be reviewed for their requirement on your systems.

Service

Default startup type

Recommended setting

Alerter

Automatic

Disabled

Computer Browser

Automatic

Disabled

Distributed file system

Automatic

Disabled

Error Reporting Service

Automatic

Disabled

Help and Support

Automatic

Disabled

Messenger

Automatic

Disabled

Windows Audio

Automatic

Disabled

Wireless Configuration

Automatic

Disabled

 

Boot.ini

Boot.iniThe NTLDR (NT Loader) allows the user to choose which operating system to boot from at the menu; for NT and NT-based operating systems, it also allows the user to pass preconfigured options to the kernel. The menu options are stored in the boot.ini file. There are several switch options for the boot.ini file. I’ll describe 3 of them that have to do with memory management.

/3GB

By default, the 32-bit (x86) editions of Windows can address a total of 4 GB of virtual address space. This is a constraint of the 32-bit (x86) architecture. Normally, 2 GB of this is reserved for the operating system kernel requirements (privileged-mode) and the other 2 GB is reserved for application (user-mode) requirements. Under normal circumstances, this creates a 2 GB per-process address limitation.

Windows provides a /3GB parameter to be added to the BOOT.INI file that reallocates 3 GB of memory to be available for user-mode applications and reduces the amount of memory for the system kernel to 1 GB. Some applications, written to do so, can derive performance benefits from having large amounts of addressable memory available to individual user-mode processes. In such instances, having as much free space for user-mode processes is desirable.

You normally use this switch only when a specific application recommends its use, meaning the applications have been compiled to use more than 2 GB per process, such as Microsoft Exchange and Microsoft SQL Server.

 

/PAE

The Physical Address Extension (PAE) is a 36-bit memory addressing mode that allows 32-bit (x86) systems to address memory above 4 GB.

Windows uses 4 KB pages with PAE to map up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space. The kernel creates a “map” in the privileged mode addressable memory space to manage the physical memory above 4 GB.

This allows the operating system to use physical memory above 4 GB. As the 64-bit (x64) editions of Windows are not bound by this same memory architecture constraint, the PAE switch is not used in these versions of the Windows Server.

Even with PAE enabled, the underlying architecture of the system is still based on 32-bit linear addresses. This effectively retains the usual 2 GB of application space per user-mode process and the 2 GB of kernel mode space because only 4 GB of addresses are available. However, multiple processes can immediately benefit from the increased amount of addressable memory because they are less likely to encounter physical memory restrictions and begin paging.

 

/USERVA=####

The /userva=#### switch is designed to allow for more precise tuning of User-mode address space for programs that require more than 2 GB of User-mode space but do not require all the space that is provided by the /3GB tuning switch alone. Using the /3GB switch reduces the memory available in the Nonpaged Pool, Paged Pool & System Page Table Entries (PTEs).

If the memory reduction in the pools is too great in a specific server installation, the server or the applications may generate an error or appear to stop responding.

Using the /userva switch you can add a small amount of the additional 1 GB back to the operating system by decreasing the amount of User-mode space that is typically allocated by the /3GB switch. This additional Kernel-mode address space is held in reserve and is used as additional address space for PTEs if the system runs out of free PTE space. This address space is not allocated to PTEs until the system runs low on PTE space.

Use /userva switch with the /3GB switch to tune the User-mode space to a value between 2 GB and 3 GB, with the difference (3,072 less ####) being returned to Kernel mode. Note that #### is expressed in megabytes (MB).

 

Related reading:

Performance Tuning your Windows Server (Part 1)

March 28, 2010 4 comments

In this series of posts I’ll be describing several settings and parameters that can be tuned to optimize your server performance. I hope you’ll find them useful and help you improve your servers performance.

Note: As with all changes, you should implement the following suggestions one at a time and verify that there was a performance improvement. If system performance decreases after making a change, you should reverse the change.

 

Processor scheduling

Performance Options: Processor schedulingWindows uses multitasking to prioritize process threads that the CPU has to handle. The execution of a process is halted and another is started, preventing a single thread from monopolizing the entire CPU.

Switching the CPU from executing one process to the next is known as context-switching. The Windows operating system includes a setting that determines how long individual threads are allowed to run on the CPU before a context-switch occurs and the next thread is serviced.

Typically for a server, it is not desirable to allow the foreground program to have more CPU time allocated to it than background processes. That is, all applications and their processes running on the server should be given equal contention for the CPU.

To set this, Open the System Control Panel, select the Advanced tab, in the Performance frame click Settings, go to the Advance tab, and within the Processor Scheduling frame, set the Adjust for best performance of: to Background Services.

 

Memory usage

The file system cache is an area of physical memory set aside to dynamically store recently
accessed data that has been read or written from or to the I/O subsystem (hard drives, networks interfaces, and networks). The file system cache improves performance by reducing the number of accesses to physical devices attached to the I/O subsystem, by moving commonly used files into system cache, disk and network read and write operations are reduced and system performance is increased. You can optimize Windows server performance by tuning the file system cache.

System Cache: This option is the default setting. It instructs the operating system to give the working set of the file system cache a higher priority for memory allocation than the working sets of applications. It will give the best performance on a file server that is not running other applications.
Programs: This choice is the recommended setting for machines running applications that are memory-intensive (SQL, Exchange, etc’). With this option chosen, the working set of applications will have a priority over the working set of the file system cache.

     

Virtual memory

Memory paging occurs when memory resources required by the processes running on the server exceed the physical amount of memory installed. Windows uses virtual memory techniques that allow applications to address greater amounts of memory than what is physically available. This is achieved by setting aside a portion of disk for paging. This area, known as the paging file, is used by the operating system to page portions of physical memory contents to disk, freeing up physical memory to be used by applications that require it at a given time. The combination of the paging file and the physical memory installed in the server is known as virtual memory.

RAM

Physical memory can be accessed faster than the disk. Every time the operating system needs to move data between physical memory and the disk, there will be a significant system delay. While some degree of paging is normal on servers, excessive memory paging activity can effect the overall system performance. Thus, it is always desirable to minimize paging activity.

A pagefile can be created for each individual volume on a server, up to a maximum of 16
page files and a maximum 4 GB limit per pagefile. This allows for a maximum total pagefile size of 64 GB. The total of all pagefiles on all volumes is managed and used by the operating system as one large pagefile.
When a pagefile is split between smaller pagefiles on separate volumes as described above, when it needs to write to the pagefile, the virtual memory manager optimizes the workload by
selecting the least busy disk based on internal algorithms. This ensures best possible performance for a multiple-volume pagefile.

Optimal pagefile performance can be achieved by isolating pagefiles to dedicated physical drives on RAID-0 (striping) or RAID-1 (mirroring) arrays, or on single disk without RAID at all. By doing so, the PAGEFILE.SYS is the only file on the entire volume and there is no risk of fragmentation caused by other files or directories on the same volume. As with most disk-arrays, the more physical disks in the array, the better the performance.

RAID0 RAID1

 

Where pagefile optimization is critical, do not place the pagefile on the same physical drive as
the operating system, which happens to be the system default. If you don’t have a choice, put the pagefile on the same volume (typically C:) as the operating system. Putting it on another volume on the same physical drive will only increase disk seek time and reduce system performance.

To configure the PageFile, Open the System Control Panel, select the Advanced tab, in the Performance frame click Settings, go to the Advance tab, and within the Virtual Memory frame, click Change.

Best-practice tuning is to set the initial (minimum) and maximum size for the pagefile to the same value. This ensures that no processing resources are lost to the dynamic resizing of the pagefile. Setting the same minimum and maximum page file size values ensures that the paging area on a disk is one single, contiguous area, improving disk seek time.

The pagefile on all disks combined should be configured up to twice the physical memory for
optimal performance.

 

Related reading:

PerfMon BlackBox

February 20, 2010 5 comments

BlackBoxWhen an airplane crashes, the first thing to do (after searching for survivors of course) is to search for the “blackbox” since it would contain vital information about what might have caused the plane to crash. You can apply this technique on your servers as well.PerfMon

The “PerfMon BlackBox” is an always-running capture of key performance counters. So when a server crashes, hangs or starts to slow down significantly, you can take the collected data (the blg file) and analyze it for memory leaks or other unexpected resource consumption.

For this, you’ll need a set of two files. One (BlackBox_Counters.txt) containing the list of performance counters to be collected, and a second (BlackBox.cmd) containing the script set of commands to create the data collector using logman.exe.

BlackBox_Counters.txt:

\Cache\Dirty Pages
\Cache\Lazy Write Flushes/sec
\LogicalDisk(*)\% Free Space
\LogicalDisk(*)\% Idle Time
\LogicalDisk(*)\Avg. Disk Bytes/Read
\LogicalDisk(*)\Avg. Disk Bytes/Write
\LogicalDisk(*)\Avg. Disk Queue Length
\LogicalDisk(*)\Avg. Disk sec/Read
\LogicalDisk(*)\Avg. Disk sec/Write
\LogicalDisk(*)\Current Disk Queue Length
\LogicalDisk(*)\Disk Bytes/sec
\LogicalDisk(*)\Disk Reads/sec
\LogicalDisk(*)\Disk Transfers/sec
\LogicalDisk(*)\Disk Writes/sec
\LogicalDisk(*)\Free Megabytes
\Memory\% Committed Bytes In Use
\Memory\Available MBytes
\Memory\Cache Bytes
\Memory\Commit Limit
\Memory\Committed Bytes
\Memory\Free & Zero Page List Bytes
\Memory\Free System Page Table Entries
\Memory\Pages Input/sec
\Memory\Pages Output/sec
\Memory\Pages/sec
\Memory\Pool Nonpaged Bytes
\Memory\Pool Paged Bytes
\Memory\System Cache Resident Bytes
\Memory\Transition Pages RePurposed/sec
\Network Inspection System\Average inspection latency (sec/bytes)
\Network Interface(*)\Bytes Received/sec
\Network Interface(*)\Bytes Sent/sec
\Network Interface(*)\Bytes Total/sec
\Network Interface(*)\Current Bandwidth
\Network Interface(*)\Output Queue Length
\Network Interface(*)\Packets Outbound Errors
\Network Interface(*)\Packets Received/sec
\Network Interface(*)\Packets Sent/sec
\Network Interface(*)\Packets/sec
\Paging File(*)\% Usage
\PhysicalDisk(*)\Avg. Disk Queue Length
\PhysicalDisk(*)\Avg. Disk sec/Read
\PhysicalDisk(*)\Avg. Disk sec/Write
\PhysicalDisk(*)\Current Disk Queue Length
\PhysicalDisk(*)\Disk Bytes/sec
\PhysicalDisk(*)\Disk Reads/sec
\PhysicalDisk(*)\Disk Writes/sec
\Process(*)\% Privileged Time
\Process(*)\% Processor Time
\Process(*)\Handle Count
\Process(*)\ID Process
\Process(*)\IO Data Operations/sec
\Process(*)\IO Other Operations/sec
\Process(*)\IO Read Operations/sec
\Process(*)\IO Write Operations/sec
\Process(*)\Private Bytes
\Process(*)\Thread Count
\Process(*)\Virtual Bytes
\Process(*)\Working Set
\Processor Information(*)\% of Maximum Frequency
\Processor Information(*)\Parking Status
\Processor(*)\% DPC Time
\Processor(*)\% Interrupt Time
\Processor(*)\% Privileged Time
\Processor(*)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\DPC Rate
\Server\Pool Nonpaged Failures
\Server\Pool Paged Failures
\System\Context Switches/sec
\System\Processor Queue Length
\System\System Calls/sec
\TCPv4\Connection Failures

BlackBox.cmd:

set “LogName=BlackBox”
set “LogsPath=D:\Perflogs”
set “CountersFile=BlackBox_Counters.txt”

logman query |find /i /c “%LogName%”
if ERRORLEVEL 1 goto CreateLog

:UpdateLog
logman update %LogName% -v nnnnnn -cf “%~dp0%CountersFile%” -si 00:01:00 -f bincirc -o “%LogsPath%\%LogName%_%COMPUTERNAME%” -max 1024
goto StartLog

:CreateLog
logman create counter %LogName% -v nnnnnn -cf “%~dp0%CountersFile%” -si 00:01:00 -f bincirc -o “%LogsPath%\%LogName%_%COMPUTERNAME%” -max 1024

:StartLog
logman start %LogName%

:ClearOldLogs
forfiles /p %LogsPath% /m *.blg /d -7 /c “cmd /c del /q @path”

Now you can set your server’s “PerfMon BlackBox” by putting both files in a folder under your %USERDOMAIN%\NETLOGON folder, then create a new GPO, and assign the BlackBox.cmd script as the computer startup script. This way, whenever a server boots up, it will cerate/update the BlackBox collector and run it.

Note: The last line of the script file (under ClearOldLogs) is responsible for deleting blg files older than 7 days, so your disk is not bloated with old and irrelevant counter files.

Before you go and analyze the counters using perfmon, I recommend you use a set of registry tweaks that will make your life working with PerfMon a little easier.

PerfMonTweaks.reg:

Windows Registry Editor Version 5.00

#http://support.microsoft.com/kb/281884
#The Process object in Performance Monitor can display Process IDs (PIDs)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc\Performance]
“ProcessNameFormat”=dword:00000002

#http://support.microsoft.com/kb/300884
#Display Comma Separators in the Windows Performance Tool
[HKEY_CURRENT_USER\Software\Microsoft\SystemMonitor]
“DisplayThousandsSeparator”=dword:00000001

#http://support.microsoft.com/kb/283110
#Vertical lines are displayed in the Sysmon tool that obscure the graph view
[HKEY_CURRENT_USER\Software\Microsoft\SystemMonitor]
“DisplaySingleLogSampleValue”=dword:00000001

And if you don’t know how, you can always use PAL to analyze the performance logs. It generates an HTML based report which graphically charts important performance counters and show alerts when thresholds are exceeded. Just remember PAL is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time.

Performance Analysis of Logs (PAL) Tool

Related reading: