Share via


Setting a remote perfmon in a Windows client or Windows Server.

Applies to:

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Windows Server 2008

Windows Vista

Updated:  Oct. 31st, 2017

First published: May 16, 2015

This is the third (3rd) method of enabling perfmon.

When is this usually useful?  Do you have a Windows client or Windows Server that randomly become unresponsive to a local login or a domain login?  You are able to ping the machine but cannot open a UNC share (\\MachineName\ShareName)?  Where the only method to recover is to power off the machine and restart?

This is the perfmon that you need for those type of issues.

On the machine having problems (64-bit Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/8.1/Server 2012 R2):

Step 1.  Make sure that you have the latest hotfixes that are Perfmon related installed.

TIP:  Include these hotfixes in your base image.

Step 2.  Make sure that WMI is working properly

Step 3.  Have the “Remote Registry” service started.

Step 4.  Have the “Performance Logs and Alerts” unblocked in the Windows Firewall or your Antivirus Network Protection software.

From your remote 64-bit Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/8.1/Server 2012 R2 tools machine:

Step 5.  Setup the two perfmon’s, one short interval and the other one, long interval.

Long-interval:

==========

Start, CMD (Run as admin)

logman.exe create counter %ComputerName%_long_interval -f bincirc -v mmddhhmm -max 750 -c "\\MachineName\Cache\*" "\\MachineName\IPv4\*" "\\MachineName\LogicalDisk(*)\*" "\\MachineName\Memory\*" "\\MachineName\Netlogon\*" "\\MachineName\Network Interface(*)\*" "\\MachineName\Paging File(*)\*" "\\MachineName\Per Processor Network Activity Cycles(*)\*" "\\MachineName\Per Processor Network Interface Card Activity(*)\*" "\\MachineName\Processor(*)\*" "\\MachineName\Processor Information(*)\*" "\\MachineName\PhysicalDisk(*)\*" "\\MachineName\Process(*)\*" "\\MachineName\Physical Network Interface Card Activity(*)\*" "\\MachineName\Redirector\*" "\\MachineName\SMB Client Shares\*" "\\MachineName\SMB Server Shares(*)\*" "\\MachineName\SMB Server Sessions\*" "\\MachineName\Server\*" "\\MachineName\Server Work Queues(*)\*" "\\MachineName\System\*" "\\MachineName\VM Memory(*)\*" "\\MachineName\VM Processor(*)\*" "\\MachineName\TCPv4\*" -si 00:05:00 -u Contoso\AnAccountWithLocalAdminRightsOnTargetMachine *

Note:  Replace \\MachineName with your actual machine name that you want to monitor.

Note 2:  Where Contoso\AnAccountWithLocalAdminRightsOnTargetMachine is the domain and an account on the remote machine where the end-user is able to create and start a perfmon.

Note 3:  I personally like to capture all the counters and instances.  The reason is, I cannot tell you how many times, where I was looking at a perfmon, that I went, ok, the bread crumbs lead this way, let me look at that counter, just to find out, it wasn’t collected.  And then having to wait for the problem to reoccur.

Note 4:  You could change the interval for the long from to -si 00:05:00 to anything depending on how long you want to capture.  For more info on the sample interval that you need to choose, check out:  How often should Perfmon Sample?

logman.exe start %ComputerName%_long_interval

< reproduce the issue>

logman.exe stop %ComputerName%_long_interval

Short-interval:

==========

logman.exe create counter %ComputerName%_short_interval -f bincirc -v mmddhhmm -max 750 -c "\\MachineName\Cache\*" "\\MachineName\IPv4\*" "\\MachineName\LogicalDisk(*)\*" "\\MachineName\Memory\*" "\\MachineName\Netlogon\*" "\\MachineName\Network Interface(*)\*" "\\MachineName\Paging File(*)\*" "\\MachineName\Per Processor Network Activity Cycles(*)\*" "\\MachineName\Per Processor Network Interface Card Activity(*)\*" "\Processor(*)\*" "\\MachineName\Processor Information(*)\*" "\\MachineName\PhysicalDisk(*)\*" "\\MachineName\Process(*)\*" "\\MachineName\Physical Network Interface Card Activity(*)\*" "\\MachineName\Redirector\*" "\\MachineName\SMB Client Shares\*" "\\MachineName\SMB Server Shares(*)\*" "\\MachineName\SMB Server Sessions\*" "\\MachineName\Server\*" "\\MachineName\Server Work Queues(*)\*" "\\MachineName\System\*" "\\MachineName\VM Memory(*)\*" "\\MachineName\VM Processor(*)\*" "\\MachineName\TCPv4\*" -si 00:00:05 -u Contoso\AnAccountWithLocalAdminRightsOnTargetMachine *

Note:  Replace \\MachineName with your actual machine name that you want to monitor.

Note 2:  Where Contoso\AnAccountWithLocalAdminRightsOnTargetMachine is the domain and an account on the remote machine where the end-user is able to create and start a perfmon.

logman.exe start %ComputerName%_short_interval

< reproduce the issue>

logman.exe stop %ComputerName%_short_interval

More information:

============

Setting a local perfmon in a Windows client or Windows Server.

An alternative method, when you want to enable ‘local perfmon’s’ from a ‘remote machine’:

Setting a remote perfmon Windows Server 2012 style...

*  If you use my colleague Clint Huffman’s Performance Analysis of Logs (PAL), the “base” performance is named “System Overview”.

How to setup an in-flight recorder:

By the way, if you want to figure out why the machine is becoming unresponsive, besides the perfmon log, get a manual memory dump using:

Coming soon: How to generate a kernel or a complete memory dump file in Windows Server 2012 and Windows Server 2012 R2

Comments

  • Anonymous
    May 16, 2015
    Hi all, There are at least three (3) methods of enabling a perfmon log using logman.   Method Description
  • Anonymous
    May 22, 2015
      Applies to: Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server 2008