Partilhar via


How to pull the information that Resource Monitor (ResMon.exe) provides?

 

Applies to:
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2

A common question that we get asked is how to pull the information that Resource Monitor (ResMon.exe) provides.

In ResMon, we are able to see the following five (5) tabs:

Overview
    CPU
    Disk
    Network
    Memory

CPU
    Processes
    Services
    Associated Handles
    Associated Modules

Memory
    Processes
    Physical Memory

Disk
    Processes with Disk Activity
    Disk Activity
    Storage

Network
    Processes with Network Activity
    Network Activity
    TCP Connections
    Listening Ports

How do you capture these set of data for consumption?
All of these are ETW data that is collected and outputed on a nice visual tool.

To be able to view the ETW providers that are running when you fire off Resmon, just open Perfmon.
Performance --> Data Collector Sets --> WDC.GUID
Note:  Where the guid is different for different systems.

Inside of the of WDC.GUID "Event Trace Session", we see that the following ETW providers are collected:

{B2CA89D8-FAC8-4759-A0C7-2FAD1FD0E716}
0xffffffffffffffff 0xffffffff

Microsoft-WIndows-Kernel-Disk
0xffffffffffffffff 0xffffffff

Microsoft-Windows-Kernel-File
0x10 0xffffffff
Note: 0x10 denotes Kernel_File_Keyword_Filename

Microsoft-Windows-Kernel-Network
0xffffffffffffffff 0xffffffff

Microsoft-Windows-Kernel-Process
0x20 0xffffffff
Note:0x20 denotes WinEvent_Keyword_Thread

And their buffer size is set this way:
64KB Buffer size
16 Minimum buffers
38 Maximum buffers

Stream mode:
Real Time

So, this is looking good for me since ETW providers are something that I could collect using many different on/off (Controller/Consumer) tools such as:
TraceLog.exe (Controller) (SDK)
TraceRpt.exe (Consumer) (SDK)
Logman (Controller)(built-in)
XPerf (Controller) (WPT)
XPerfView (Consumer) (WPT)

In this segment, I'll just go thru setting up via Logman.

Start, Run, CMD (Run as admin)
logman.exe /?

logman start WDC -p {B2CA89D8-FAC8-4759-A0C7-2FAD1FD0E716} 0xffffffffffffffff 0xff -bs 64 -nb 16 38 -max 10 -ets
logman start WDC -p Microsoft-WIndows-Kernel-Disk 0xffffffffffffffff 0xff -bs 64 -nb 16 38 -max 10 -ets
logman start WDC -p Microsoft-Windows-Kernel-File 0x10 0xff -bs 64 -nb 16 38 -max 10 -ets
logman start WDC -p Microsoft-Windows-Kernel-Process 0x20 0xff -bs 64 -nb 16 38 -max 10 -ets

Note:
-mode <trace_mode>            Event Trace Session logger mode. For more
                              information visit -
                              https://go.microsoft.com/fwlink/?LinkID=136464
-ln <logger_name>             Logger name for Event Trace Sessions.
-[-]p <provider [flags [level]]> A single Event Trace provider to enable.
                                The terms 'Flags' and 'Keywords' are
                                synonymous in this context.
-pf <filename>                File listing multiple Event Trace providers
                              to enable.
-[-]rt                        Run the Event Trace Session in real-time mode.
-bs <value>                   Event Trace Session buffer size in kb.
-nb <min max>                 Number of Event Trace Session buffers.
-[-]max <value>               Maximum log file size in MB or number of
                              records for SQL logs.
-o <path|dsn!log>             Path of the output log file or the DSN and
                              log set name in a SQL database. The default
                              path is '%systemdrive%\PerfLogs\Admin'.

-[-]v <nnnnnn|mmddhhmm>       Attach file versioning information to the
                              end of the log name.

-ets                          Send commands to Event Trace Sessions

                               directly without saving or scheduling.

But we don't want to run four (4) different trace sessions to collect the one (1) WDC trace session.

I went ahead and created a new file in Notepad called WDC_Providers.txt which contained the following 4 lines:

{B2CA89D8-FAC8-4759-A0C7-2FAD1FD0E716} 0xffffffffffffffff 0xff
Microsoft-WIndows-Kernel-Disk 0xffffffffffffffff 0xff
Microsoft-Windows-Kernel-File 0x10 0xff
Microsoft-Windows-Kernel-Process 0x20 0xff

logman start WDC -pf "C:\Perflogs\WDC_Providers.txt" -bs 64 -nb 16 38 -max 10 -ets

which works fine.

Now, we just need to clean up a little bit such as putting the output directory of the file, and the trace mode.

logman start WDC -pf "C:\Perflogs\WDC_Providers.txt" -bs 64 -nb 16 38 -max 10 -mode newfile -o c:\PerfLogs\output%d.etl -ets

If you want to stop

logman stop WDC -ets

You should have an .etl file in c:\perflogs.

Comments

  • Anonymous
    January 01, 2003
    Once you have the resulting .ETL file, what do you use to consume it for analysis?

    • Anonymous
      July 19, 2017
      Sorry, I accidentally posted my reply to your question as a comment.
  • Anonymous
    January 01, 2003
    Hello, Resource Monitor uses ETW as the engine.  Perfmon exposes ETW in Performance Monitor > Data Collector Sets > System > Event Trace Sessions. H.t.h. (Hope this helps), Yong

    • Anonymous
      September 15, 2017
      @YongRhee I see my WDC sitting under Event Trace Sessions. How do I examine/plot it? Also, how can I set up logging on startup (earliest possible)? Via a startup script, or using "Startup Event Trace Sessions" in perfmon? Thanks.
  • Anonymous
    February 04, 2011
    How does a user enable the resource monitor counters in perfmon?  Is this impossible?

  • Anonymous
    October 16, 2011
    I dont have the WDC Event Trace Session so where can I see the ETW providers being collected bu Resmon?

  • Anonymous
    July 19, 2017
    Craig, Here is a guide to reading ETL files. https://msdn.microsoft.com/en-us/library/windows/desktop/dd569143(v=vs.85).aspxYou must install Network Monitor. http://go.microsoft.com/fwlink/?LinkID=103158&clcid=0x409The latest version of Network Monitor (v3.4) automatically installs the parsers. If it does not, or you have an older version of Network Monitor without outdated parsers, you can download them from here. https://www.microsoft.com/en-us/download/details.aspx?id=53671However, I can't really make sense of the data in Network Monitor.