Setting a remote perfmon in a Windows client or Windows Server.
Applies to:
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Updated: Oct. 31st, 2017
First published: May 16, 2015
This is the third (3rd) method of enabling perfmon.
When is this usually useful? Do you have a Windows client or Windows Server that randomly become unresponsive to a local login or a domain login? You are able to ping the machine but cannot open a UNC share (\\MachineName\ShareName)? Where the only method to recover is to power off the machine and restart?
This is the perfmon that you need for those type of issues.
On the machine having problems (64-bit Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/8.1/Server 2012 R2):
Step 1. Make sure that you have the latest hotfixes that are Perfmon related installed.
- None as of this date for Windows 8.1 or Windows Server 2012 R2.
- List of Performance Monitor related hotfixes post RTM for Windows 8 RTM and Windows Server 2012 RTM
- List of Performance Monitor related hotfixes post SP1 for Windows 7 SP1 and Windows Server 2008 R2 SP1
- List of Performance Monitor related hotfixes post SP2 for Windows Server 2008 SP2.
TIP: Include these hotfixes in your base image.
Step 2. Make sure that WMI is working properly
Step 3. Have the “Remote Registry” service started.
Step 4. Have the “Performance Logs and Alerts” unblocked in the Windows Firewall or your Antivirus Network Protection software.
From your remote 64-bit Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/8.1/Server 2012 R2 tools machine:
Step 5. Setup the two perfmon’s, one short interval and the other one, long interval.
Long-interval:
==========
Start, CMD (Run as admin)
logman.exe create counter %ComputerName%_long_interval -f bincirc -v mmddhhmm -max 750 -c "\\MachineName\Cache\*" "\\MachineName\IPv4\*" "\\MachineName\LogicalDisk(*)\*" "\\MachineName\Memory\*" "\\MachineName\Netlogon\*" "\\MachineName\Network Interface(*)\*" "\\MachineName\Paging File(*)\*" "\\MachineName\Per Processor Network Activity Cycles(*)\*" "\\MachineName\Per Processor Network Interface Card Activity(*)\*" "\\MachineName\Processor(*)\*" "\\MachineName\Processor Information(*)\*" "\\MachineName\PhysicalDisk(*)\*" "\\MachineName\Process(*)\*" "\\MachineName\Physical Network Interface Card Activity(*)\*" "\\MachineName\Redirector\*" "\\MachineName\SMB Client Shares\*" "\\MachineName\SMB Server Shares(*)\*" "\\MachineName\SMB Server Sessions\*" "\\MachineName\Server\*" "\\MachineName\Server Work Queues(*)\*" "\\MachineName\System\*" "\\MachineName\VM Memory(*)\*" "\\MachineName\VM Processor(*)\*" "\\MachineName\TCPv4\*" -si 00:05:00 -u Contoso\AnAccountWithLocalAdminRightsOnTargetMachine *
Note: Replace \\MachineName with your actual machine name that you want to monitor.
Note 2: Where Contoso\AnAccountWithLocalAdminRightsOnTargetMachine is the domain and an account on the remote machine where the end-user is able to create and start a perfmon.
Note 3: I personally like to capture all the counters and instances. The reason is, I cannot tell you how many times, where I was looking at a perfmon, that I went, ok, the bread crumbs lead this way, let me look at that counter, just to find out, it wasn’t collected. And then having to wait for the problem to reoccur.
Note 4: You could change the interval for the long from to -si 00:05:00 to anything depending on how long you want to capture. For more info on the sample interval that you need to choose, check out: How often should Perfmon Sample?
logman.exe start %ComputerName%_long_interval
< reproduce the issue>
logman.exe stop %ComputerName%_long_interval
Short-interval:
==========
logman.exe create counter %ComputerName%_short_interval -f bincirc -v mmddhhmm -max 750 -c "\\MachineName\Cache\*" "\\MachineName\IPv4\*" "\\MachineName\LogicalDisk(*)\*" "\\MachineName\Memory\*" "\\MachineName\Netlogon\*" "\\MachineName\Network Interface(*)\*" "\\MachineName\Paging File(*)\*" "\\MachineName\Per Processor Network Activity Cycles(*)\*" "\\MachineName\Per Processor Network Interface Card Activity(*)\*" "\Processor(*)\*" "\\MachineName\Processor Information(*)\*" "\\MachineName\PhysicalDisk(*)\*" "\\MachineName\Process(*)\*" "\\MachineName\Physical Network Interface Card Activity(*)\*" "\\MachineName\Redirector\*" "\\MachineName\SMB Client Shares\*" "\\MachineName\SMB Server Shares(*)\*" "\\MachineName\SMB Server Sessions\*" "\\MachineName\Server\*" "\\MachineName\Server Work Queues(*)\*" "\\MachineName\System\*" "\\MachineName\VM Memory(*)\*" "\\MachineName\VM Processor(*)\*" "\\MachineName\TCPv4\*" -si 00:00:05 -u Contoso\AnAccountWithLocalAdminRightsOnTargetMachine *
Note: Replace \\MachineName with your actual machine name that you want to monitor.
Note 2: Where Contoso\AnAccountWithLocalAdminRightsOnTargetMachine is the domain and an account on the remote machine where the end-user is able to create and start a perfmon.
logman.exe start %ComputerName%_short_interval
< reproduce the issue>
logman.exe stop %ComputerName%_short_interval
More information:
============
Setting a local perfmon in a Windows client or Windows Server.
An alternative method, when you want to enable ‘local perfmon’s’ from a ‘remote machine’:
Setting a remote perfmon Windows Server 2012 style...
* If you use my colleague Clint Huffman’s Performance Analysis of Logs (PAL), the “base” performance is named “System Overview”.
How to setup an in-flight recorder:
How To Equip Your Windows Server Environment With A Blackbox Flight Recorder
or
How to create a “black box” performance counter data collector
or
By the way, if you want to figure out why the machine is becoming unresponsive, besides the perfmon log, get a manual memory dump using:
Comments
- Anonymous
May 16, 2015
Hi all, There are at least three (3) methods of enabling a perfmon log using logman. Method Description - Anonymous
May 22, 2015
Applies to: Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server 2008