Perfmon and PAL 101: A Comprehensive Guide for IT Pros using Windows Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello my name is lowell vanderpool and this channel is dedicated to it students i.t professionals and anyone who enjoys learning technical subjects okay mr vanderbilt what is performance monitor well it's also known as perfmon perfmon is actually running behind me and when you first look at perfmon if you are new to windows or you're new to the technical side of windows and you launch perfmon for the first time you kind of are in shock it looks like a windows 95 application that somehow slipped through 20 years of windows development and somebody found it in the bottom of the system 32 folder and double clicked it and launched it it's it's not impressive perfmon though is built on a very important foundation called performance counters and event tracing sessions perfmon is going to allow us to real time look at performance counters which based on that monitor you see behind me you're probably not going to go there so we'll look at other tools that we can look at performance counters second of all the most important feature of perfmon is that we can record counters in log files and we can look at them later in an html report or we can convert that data into a format that's acceptable by spreadsheets and databases and then we have a lot of tools that we can look at that data and analyze it then there's event tracing which is kind of debuggish type logging when we talk about event tracing we're probably not going to use performance monitor again to record it or view it because microsoft has newer tools one called the windows performance recorder which allows you to pick trace events and record them and then performance windows performance analyzer which does a great job of popping up those log files and allowing you to analyze in a gui fashion when you launch performance monitor which microsoft engineers have populated already with a series of counters they've put three counters in for memory one counter for network interface two for physical disk and three for processor information these are by the way very good counters to analyze windows now as we've mentioned performance counters are the fundamental underpinning of the performance monitor but many other tools use those counters for example resource monitor when you launch a resource monitor resource monitor takes full advantage of the performance counters that are built into the windows operating system what you're seeing are the performance counters by the way this is a favorite tool of mine if i'm stuck with just task manager or resource monitor it's going to be resource monitor every time and by the way when i go to when i go to the windows start icon even task manager is fundamentally pulling metrics out of the performance counters built into windows so task manager resource monitor all use the same performance counters if you've used process explorer process explorer leverages the performance counters built into windows process monitor uses the counters built into windows as process hacker if you've watched my latest video on process hacker so a lot of graphical user interface tools that you're familiar with already use performance counters now performance monitor has a real-time graph and right now it has percent processor time and basically that's how much user mode code is being executed by your processor about 15 of all the code that's being executed by the processor is user mode up here at the top is a plus symbol and here's where we can add any amount of counters to this real-time graph now most of us are not going to use this real-time graph it's pretty old pretty antiquated but if you did need to look at a very specific counter you could use this tool to view that counter and observe the metrics the most common way to use performance monitor is is data collection sets so we have two different kinds one is called user defined and these are the ones that you create yourself now if i click on data collector set and choose user define i can come in this pane of the utility and right mouse click and create a new data collector set in it i can add as many performance counters as i want and i can execute that and it will begin to log that information below the user defined is what's called system these are two predefined set of performance counters that are ready to go the first one is called system diagnostics you can see a ton of performance counters are already pre-configured ready for you to use and this is a wonderful tool for any admin help desk it professional to assess a system you can come up and hit the green start and it begins collecting data on all of these performance counters now there's a black square button which is the stop button it stops collecting data from all these counters and then you can then look at that event log i'm going to go ahead and stop this one now there's another one below it's called system performance this is already pre-configured pre-set up again all you have to do it has performance counters already set up you can come to the green arrow start the data collection it begins to build log and then at whatever point you can stop it which i'm going to go ahead and do hit the square button stop the recording of data and now basically you can go look at the reports on both of these pre-configured systems let's come down to the reports and here we're going to look under system you can see when i launch that system diagnostic it created a series of logs and an html report and so i can go in and look at the metrics that were collected by those counters you can see there's a lot of information we will come back and look at this if you come down to system performance you can see i've launched this system performance tool up here twice and i can pull up those reports it's an html page it shows me the metrics of what those performance counters collected now the last section of performance monitor that we're going to look at is called event trace sessions performance monitor is built on top of performance counters and what is known as event trace for windows this is key component of wmi we can't do a lot with event tracing with performance monitor i'm going to show you two additional tools that are much better at looking at tracing information think of this as a type of debugging we will look at alternative tools to do serious recording of traces and analyzing of traces there's one last pre-configured trace session and that's for startup events and that way you can go and look at as windows boots and starts up you can look at a lot of things that are going on and maybe trace problems related to the boot up of the windows operating system now that's a quick drive-by of performance monitor now let's dig in now when you run performance monitoring your logging performance counters those are going to be put in c colon backslash perflogs it's interesting that microsoft puts that in the c root directory as it's so protective of the root directory of c but there they are three major functions of perfmon is real time which we don't use very much logging which we do a lot of and debugging or event trace now who's using windows performance counters they're collecting various types of system data such as processor information memory disk usage statistics system admins use them software developers use them extensively to analyze their code and see how their application performs on windows hardware engineers use this extensively as they analyze the performance of their hardware in the windows operating system the key to performance counters is use them sparingly they are not designed to be collected more than once per second when we talk about performance counters remember it's very important that you correctly choose the counter that you want to monitor and second of all you've got to understand the threshold values that you're looking for in these metrics what constitutes too high what constitutes too low without understanding your threshold values and the correct counters this tool is not useful to anyone below on the slide you can see i've clipped out some information from microsoft documentation and microsoft is giving us the performance counters and it's also giving us threshold values to look at you have to have both of these critical components to effectively use a tool like performance monitor when you're selecting counters and understanding threshold values for analysis and troubleshooting microsoft documentation is a great source for selecting the right counters and understanding the threshold values as you try to analyze using these counters you can turn to developer documentation or develop or support their engineers or turn to dell or hp or lenovo or whoever hardware vendor you're working with and troubleshooting their product with you need them to help you determine performance counters and threshold values so that you can adequately use performance counters to analyze a problem for example microsoft documentation gives you some really good counters so that that it professional can properly size a virtual machine's memory and so it gives you three counters that you can look at and it also gives you threshold values to analyze you can quickly run performance monitor against your virtual machine and determine whether you're sizing the memory properly for that virtual machine so two types of data that perfmon can collect obviously performance counters and then event trace data now event tracing for windows or etw is built into the windows operating system essentially any component user application windows kernel can send out diagnostic trace information about specific events that that component cares about for example the kernel sends out an etw event when a process starts or stops when an image or dll is loaded into memory or unloaded out of memory when a thread is created or is destroyed when a thread does a context switch or executed by the processor etw is designed to be fast and it should not materially impact the system performance now event trace files are saved as dot etl extensions a lot of your event trace files are saved in the windows system 32 log files wmi folder and i've got them shown here if you're thinking that's all the event trace files that are on your system think again i did a search of star.etl files on my video editor and i could literally scroll this on the screen for a long time there's a lot of vent tracing files on this machine so if i was to ask you about perfmon and performance monitoring and say how many performance counters do you think are built into windows 10 you would say how many if you said 3 840 counters you would be right so you saw me in the beginning kind of chastise microsoft for not investing in a better performance monitoring tools and the reason is real simple there's over 15 to 30 major vendors that provide this including microsoft's operation manager so microsoft wants you to pay for more comprehensive performance management or you can go to a third party solarwinds altera simatec site 24x7 and we could just go on and on naming more and more vendors that provide not only server performance monitoring but application okay but what about the low budget such as school districts and non-profit organizations that are running server and need better performance monitoring tools well you can it's called pal version 2. it's on github and some really smart people put together a great package that allows you to analyze your performance logs and take those and compare them against industry threshold data this developer and the contributors put together a great tool that gives you threshold files for most of the major microsoft products iis sql biz talk exchange active directory gives you a nice gui interface produces a powershell script to analyze and then creates an html report and here's the key it analyzes performance counter logs for thresholds using thresholds that change their criteria based on the computer's role or hardware specs that's what makes this tool so valuable now i'm not going to go into how to install it because in the video notes if you download them there's a step by step on how to install pallets not that complex most of you can do this with no problem what i want to do is demonstrate how to use it so let's begin with performance monitor now i could run the system diagnostic but remember we talked this is already a pre-populated pre-configured set of counters and it's actually a great set of counters for analyzing your system the problem is it has a limit of 60 seconds and that generally is not enough data collected for the pal tool you can't tweak this one this one's predefined set you can't touch it but we can use it as a template so let's go up to user defined and let's create a new data collector set and i'm going to call it now what i've done is i've created my data collector set with the name virtual machine 4 cpus 4 gigs of ram and the application that i'm going to run is a browser and so i'm going to use that application to use the counters to analyze how is the system performing under a loaded browser application now i'm going to create from this from a template so let's go next and the template that i'm going to be using is that system diagnostic template so i'm going to use that set of counters pre-configured and go next and it's going to put it where my perf log folder is so i'm going to say next and it's going to run in this case i'm just going to save and close it'll run under my credentials and we'll go finish now i'm going to come back to my predefined set of counters remember this is just a copy of what was in system diagnostics i now have my own version of that under user defined what i'm going to do is come and go to properties i want this to run longer here's my stop condition i'm going to let this run at least 10 minutes so i'm gonna uncheck this and i'm going to uncheck stop when data collectors have finished because i want it to run at least five minutes it doesn't have to run 10 but at least i don't want it to run 60 seconds it's probably not going to collect enough data made these counters run longer basically all i've done and i'm going to apply and say okay now to simulate a browser-based application that is loading down this machine i'm simply going to go to youtube and run a 4k video so i've started a 4k video and i'm going to go check to make sure it's running at high resolution and so it's sitting there running and it's going to pull network traffic exert effort on the cpu and the system as a whole and it's going to simulate an app browser-based application that's loading down this pc so now i'm going to come back to my performance counter and say start collecting data and i'm just going to let it run for as long as you want to do remember you don't want it too large but in this case we just want to learn how to use it you could change this to run with fewer counters collecting data less over a longer period of time so there's a lot of flexibility in what we can do but just to give you an idea of how to collect data and then use the powell let's go ahead with this configuration now while i'm collecting this data i went ahead and launched process explorer so that i can kind of see what's happening with this particular virtual machine and the loaded application and i can see cpu usage is high the system page file is pretty large there's not a whole lot of physical memory and i can come over here and see the network traffic pretty much what i would expect if i was pulling a large video file via the network so a lot of things that i expect i'm seeing in process explorer all of this data is being collected and stored in a log file and at some point we'll stop this performance monitor collection and then use the pow tool to analyze our data in most cases it's a good idea to install your pal tool on your admin station you can always pull the log files off the device you've tested so test your server test a client's workstation pull that log file back to you and run pal tool on a more powerful workstation for example if you're dealing with a server that's already having trouble the last thing you want to do is run the power tool on a server that's already having problems so pull the performance log off when you're done and run it on your admin workstation so now i've been running this 4k video on this machine for a while and you can see process explorer in its system information summary gives you a good view that this machine is pretty heavily loaded so let's go ahead and stop performance monitor let's come up to our stop button and stop the collecting of data so now the data we're not collecting any more data and we can go ahead and turn off all these other things now i've launched my pal tool let's go find that log file and analyze it so i'm going to start by going to the counter log so i'm going to go find that log file there are a lot of other things that we can do if you've been collecting a log file over five days you can in the bottom here you can restrict it to let's say you have irregular events you started collecting data on monday and you stopped on friday and you recognize that it was tuesday that this problem flared up again so you could go ahead and said ignore all the data except tuesday it's pretty cool let's go browse for the file drill down to my performance counter dot blg file that's the extension for the performance counter log file and go ahead and open it and then we're going to go next so by default you have what's called system overview the developer of this tool recommends that you use the system overview if you're not quite sure now if i drop down the box you can see it supports various applications so if you're trying to analyze counters on office sharepoint or sql or you can just see we can just go down to a variety exchange active directory all kinds of different scenarios where you need probably different threshold values now the best thing about this is you can do what's called an auto detect so i'm going to click on that it's going to analyze the log and it's going to recommend three additional threshold files to run against this log file so we're going to leave that auto detect and those additional threshold files to use to analyze the counters that i have i'm now going to go next here i'm going to select the operating system so i'm going to select windows 10 64-bit physical memory is going to be four gigs you can see i'm tuning this tool to better help me analyze my counter logs it's going to take my log file and slice it up into 30 time slices so i'm going to get this sequential analysis over time and you'll see it gives you a lot more than that we're going to go next now the reports are going to be put in my documents you can see here i've done this a number of times and you can see all the different reports that i have in my my documents so that's where they're going to go they're going to be html reports we're going to go next and then this is the final result it's going to run a powershell script against my log files and again if this is a server that's having performance issues you don't want to run the pal on the server that's having problems take this log file run pal on your administrative workstation you don't want to load the server trying to analyze the server in this case this is just a windows 10 box i'm going to go ahead and execute it and say okay and you can see it's going to run powershell scripts and it's going to do the analysis i'm going to let this run i'll speed it up but i'll give you a chance to view what you would normally see if you sat here and watched the whole thing [Music] so this is my hdmi report as it has analyzed my performance counter logs takes my entire log that i want it to analyze and breaks it up into 30 time slices but it's in chronological order so if i'm looking for that eight o'clock in the morning active directory issue i can find it in chronological order so that's extremely nice i can also just continue to scroll down if i'm looking at just general memory issues again it breaks down everything that it analyzed in terms of different counters in memory different counters and network interface different counters and physical disk and processes your cpu your server your system and tcp version 4. so they've got all the counters broken down if you want to look at your system or analyze your problem via hardware subsystems let's come back up to the chronological order so i'm going to start with the first one i've got some links here so i'm going to click and it shows me that in this specific time and date i was having some specific utilization issues so my cp was utilized more than eighty percent and then it gives me my threshold values now it gives me a nice little hyperlink if i want more information about that eighty percent processor utilization i just click there and it takes me to the counter that assess that problem it gives me a lot of information even links that can take me to more additional information about this specific problem and i get a graph of what was going on with my cpu related to that counter it's very very nice so i could go down through this chronological order and just continue to click and assess what was going on in time with certain performance counters i can also slide down here again if i want to drill into what was happening to memory throughout the entire time that i was assessing or collecting data and i could come and see that really had three areas of problems one was memory pages per second and i had another one memory pages input per second and then a long term average standby cache so let me click on this memory pages per second again it takes me to a lot of information about this counter and that allows me to see what was going on that triggered this alert from my report that there wasn't a lot of alerts at all concerning network traffic there was only one concerning physical disk there was a number concerning processes so i'm going to come down and i can see related to the processes that were running on my operating system there was a number of alerts there i can also see i've got a couple cpu alerts other than that the rest of the system was okay i can analyze my counter my log file via chronological order or i can slide down and start looking at the hardware subsystems and the various counters that are used to assess those subsystems and i can look for problems and they're highlighted in red hyperlinks and i can drill down into those areas such as processes cpu issues i got one physical disk issue so i could analyze this log file in a number of different ways now don't get overwhelmed by the report if you'll take three virtual machines spin up three virtual machines a two cpu with two gigs four cpus with four gigs six cpus with six gigs and then run various scenarios against those boxes run your performance counters collect your log files and then run the powell tool against them i feel like by the time you've done three virtual machines you're starting to get a feel of what you're seeing and how to use this effectively to analyze just about anything performance monitor can be a very effective tool for the it professional now you can choose the real-time monitor and add counters as you so desire into your real-time monitor although this is pretty antiquated it is still available in windows with this tool you can add one or as many as you so desire and real time monitor that creating our own performance counters in which we log that data and then analyze it a much more effective component of the performance monitor add to that using pal we can now more effectively analyze our performance collected data against very very well-defined threshold values the combination of both of these can give us some great tool sets to help us analyze issues and problems with our systems and give us an insight as to what the solutions are now in our next video we're going to cover event trace we're not going to use performance monitor to use event tracing we're going to use the two new tools that microsoft has provided for us to do event tracing recording and event tracing analyzing always feel free to put your feedback in our comment section a big thank you to all our international viewers from albania to india philippines indonesia germany canada bangladesh pakistan france brazil israel saudi arabia kenya ethiopia japan singapore thailand romania and much more we are really excited that you're watching our channel and viewing our content [Music] [Music] [Music] [Music] you
Info
Channel: TechsavvyProductions
Views: 5,682
Rating: undefined out of 5
Keywords:
Id: 7nOiqW1K7-8
Channel Id: undefined
Length: 28min 30sec (1710 seconds)
Published: Tue Aug 02 2022
Related Videos
RoboCopy: Your Data Copying Ally for IT Admins
TechsavvyProductions
18K
Learn Microsoft Active Directory (ADDS) in 30mins
Andy Malone MVP
771K
Mastering Active Directory Health: Dcdiag Troubleshooting Tips for IT Pros
TechsavvyProductions
6K
Cracking the Code: Dive Deep into Windows Registry
TechsavvyProductions
74K
55 Most Useful FREE SOFTWARE Everyone Should Know!
Brett In Tech
1.3M
Unlocking VSS Secrets: A Comprehensive Guide for IT Professionals (Volume Shadow Service)
TechsavvyProductions
9.1K
IT Ninjas: Mastering Network Troubleshooting in Windows
TechsavvyProductions
115K
Demystifying the AD Integrated DNS: Your Guide for IT Admins
TechsavvyProductions
9.3K
Sysinternals Overview | Microsoft, tools, utilities, demos
Windows IT Pro
40K
OpenSSH for Windows: The IT Admin's Key to Remote Management
TechsavvyProductions
13K
Windows Performance Deep Dive Troubleshooting
Fidela Aretha
24K
Psexec.exe: A Powerful tool for IT Admins
TechsavvyProductions
94K
Windows Event and Logging Demystified: IT Admin Edition
TechsavvyProductions
12K
What’s New in Windows Server v.Next | BRK403
Microsoft Ignite
9K
FREE programs that EVERY PC should have...
JayzTwoCents
5.9M
Linux Crash Course - Understanding Logging
Learn Linux TV
39K
Windows 11 Slowness Advanced Troubleshooting using Performance Monitor
HTMD Community
743
How to tell if your PC is Hacked? Process Forensics
The PC Security Channel
473K
Sysinternals: Process Monitor deep dive (demo) | ProcMon, registry, process, Windows | Microsoft
Windows IT Pro
18K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.