More Windows NT Performance Monitor

Using counters to diagnose your system's health

In March, I showed you how to start Windows NT's PerformanceMonitor, add counters, and save settings. I also mentioned a few of the criticalcounters. In this article, I'll look at those and other counters, and give youmore details about when to use them. The aim is to evaluate the overall healthof your system and network. This article will not give you a comprehensive listof available counters. Rather, it introduces how to use counters and focuses onthose counters that are most useful to the systems administrator and power user.

Objects
Any discussion of counters must start with a description of the objects thatgenerate counters. Common objects, such as Processor, are in the PerformanceMonitor selection list on all NT installations. Table 1 lists those PerformanceMonitor objects. Optional objects appear only if you choose certain optionsduring setup. For example, you will see the NetBEUI object only if you selectNetBEUI as a protocol to install. And the last group of objects, add-ons, areobjects that you add to Performance Monitor with other software, not with NT.

First, let's examine the optional and add-on objects that you can track.For each object, I'll discuss some specific counters. You can start PerformanceMonitor on your system and follow along.

Optional Objects
Some objects appear in Performance Monitor only when the associated serviceor process is running. I'll highlight a few of these optional objects.

The Browser measures the various Browser Service transmissions.This object is relevant only if the computer is a browser or a potentialbrowser. The Browser Service gives you the list of resources available on thenetwork. When you use the Map Network Drive option from the My Computer icon,the Browser Service is responsible for displaying shared directories.

The Server Service is the complement to the Redirector. It makes resourceson the local computer available to other users across the network. Therefore,the Server Service does not need to run on a workstation that acts as a clientcomputer and doesn't share any of its local data or printers with the rest ofthe network.

Depending on the protocols and network services you have installed, you'llsee one or more network objects on your Performance Monitor list, suchas Appletalk; Client Service for NetWare; IP, TCP, Network Interface; NetBEUIand NetBEUI Resource; NWLink IPX, NWLink NetBIOS, and NWLink SPX; and RAS Portand RAS Total. Each network object measures multiple counters; overall, theymonitor the network throughput.

Add-On Objects
Add-on objects are associated with software other than NT. For example,Microsoft SQL Server adds several objects, which you'll see only when SQL Serveris running.

Counters
As I mentioned in March, Performance Monitor has about 350 counters. You'llprobably use only a few of them on a regular basis for ongoing system monitoringand keep the rest for troubleshooting and tuning. Some counters are forprogrammers to use only in debugging and optimizing applications.

A good place to start is the default counter for each object. When youselect an object, notice that the highlighted counter is not necessarily thefirst one in the list. Instead, the highlighted counter is the one that the NTdevelopers thought would be the most useful. For example, when you select theCache object, the default counter is Data Map Hits %, as Screen 1 showson page 159. The following paragraphs highlight a selection of counters that youmight find useful.

The Data Map Hits % counter under the Cache object shows how oftenrequested data was found in the cache. This counter means you can retrieve thedata rapidly from physical memory instead of having to read from the disk. Aconsistently low value, say below 80 percent when the system is very busy, cansignify insufficient memory available.

The Average Disk Queue Length counter under the LogicalDisk objectmeasures the average number of read and write requests that were queued for theselected disk during the sampling interval. A value greater than 1 or 2indicates a potential bottleneck at the disk, and processes are forced to waiton disk access. Further investigation is in order before you can be sure thedisk is the problem. Your system might have insufficient RAM, resulting inconstant paging from memory to disk and back again. Resolve memory shortagesbefore deciding that you have a disk problem.

The LogicalDisk object's Avg. Disk sec/Transfer counter shows howlong, in seconds, the average disk transfer takes. On its own, this countermight tell whether you have a fast or slow disk, although the value will varydepending on the type of data you are processing. The actual value for shortfiles will be in tens of milliseconds, which will show as 0.0nn seconds.If all your disk counters are zero, use the diskperf - y command to makesure that you turned on disk monitoring, as I described in March.

One powerful way to use Performance Monitor is to combine values fromdifferent counters. Suppose you have an Avg. Disk Queue Length of 3 and an Avg.Disk sec/Transfer of 0.033. With three requests (each taking about 33milliseconds) in the queue, about 100 milliseconds (one-tenth of a second) willpass before the system can process a new request. This calculation gives you anidea of the delay that waiting on your hard disk causes.

The Pages/sec counter under the Memory object tracks the number ofpages (a page is 4KB) read from or written to the disk because of page faults. Apage fault occurs when a process requests data or code that is not in physicalmemory and has to be read from the disk. To make space for the requiredinformation, you might need to write some of the data that is currently inmemory to the page file on the hard disk. You can look at the Pages Input/secand Pages Output/sec separately.

The Processor object's %Processor Time counter represents thepercentage of time that the processor spends executing applications oroperating-system code. Each processor has an Idle thread, which it runs when noother threads are running. The percentage of the time spent running this threadis subtracted from 100 to get the percentage of productive time spent on systemand application processes. You do not want %Processor Time to stay above 80percent to 85 percent. If it does, you need to add another processor if yoursystem will allow it, or upgrade the CPU. Spikes or bursts of 100 percent usefor a few seconds (such as when you load a program) are normal and are not causefor concern.

If you want to see how much time the CPU spends in privileged and usermodes, two Processor counters--%Privileged Time and %User Time--willgive you this information. Applications and any environment subsystems in whichthey are running will run in User mode. Usually, only operating system processescan run in privileged mode. However, NT can switch application threads toprivileged mode when the threads need operating-system services.

The counters I just discussed measure the overall use of system resources.What if you want to look at particular applications or services and see whatload they are putting on your system? You can employ several useful counters forjust that purpose.

The Process object's %Processor Time counter acts just like theProcessor object's %Processor Time. But in this case, you look at the process,not the processor. You can see the percentage of the CPU resource allocated to aspecific process. And the Process object also has %Privileged Time and%User Time counters, which tell how that time is split between the twomodes. Screen 2 shows several applications running: You can see which takes upthe CPU resource. The process App1-5 is highlighted in the legend box at thebottom of the screen, so its statistics are shown in the boxes just below thechart. The process is grabbing about 95 percent of the CPU time. The other fourapplications barely register on the graph.

Screen 3 shows another way to look at the same data. Click Options, Chartmenu item, and select the Histogram option to see this display. The %ProcessorTime counter under the Thread object shows how much time is allocated toeach thread within a process or application.

For an application that is running multiple threads, look no further thanPerformance Monitor. Screen 4 shows an example.

Another counter to monitor is the System object's Processor QueueLength, which tells you how many threads are waiting on the processor. Asingle queue for processor time exists even on multiprocessor computers. Asustained value greater than 2 is grounds for an upgrade.

Further Investigation
These counters are only the beginning. For in-depth coverage of PerformanceMonitor, check out Microsoft's NT resource kits.

Performance Monitor counter definitions are in a Help file, Common
PerftoolCntrtoolCounters.hlp on the CD-ROM that comes with MicrosoftWindows NT Server Resource Kit and Microsoft Windows NT WorkstationResource Kit for NT 4.0. The file is not installed on the list of onlinedocumentation files under the resource kit folder, but it is copied to the harddisk and placed in NtreskitPerfToolCntrTool
Counters.hlp. NT3.51 users can find a list of counter definitions in Volume 4, "OptimizingWindows NT," of Microsoft Windows NT Resource Kit for NT 3.51.