Performance data collection on Nano Server
Event tracing and Performance Counters in Windows are powerful mechanisms to debug failures, understand system behavior and improve performance. Nano Server fully supports the Event Tracing for Windows (ETW) framework, but some familiar tools used to manage tracing and performance counters may not yet be available on Nano Server. Happily, Nano Server has inbox tools and cmdlets to accomplish most common performance analysis scenarios. It just may entail using different commands and workflows than you may be used to.
Note that the high-level workflow remains the same as before — low-overhead tracing is performed on the Target (Nano Server) machine, and the resulting trace files and/or logs are post-processed offline on a separate machine using tools like the Windows Performance Analyzer, Message Analyzer, or others. This post primarily focuses on methods to record performance data without requiring any additional tools that are not part of the Nano image.
Refer to the how to copy files to and from Nano Server guide for a refresher on how to transfer files using PowerShell remoting
While it doesn’t cover every scenario, the table below lists the most common performance data collection activities along with a supported way to accomplish them on Nano Server. Click the links in the 2nd column to jump to the section with additional notes on usage.
| Activity | Nano Server supported |
|---|---|
| Query available Event Providers | wpr.exe -providers |
| Record traces from a single ETW Provider | Event Tracing cmdlets |
| Record traces from multiple ETW Providers | wpr.exe -profiles |
| Record ETW traces during OS boot | Event Tracing cmdlets |
| Capture Performance Counter data | typeperf.exe |
| Interact with the Windows Event Log | Get-WinEvent |
Query available Event Providers
The Windows Performance Recorder is an inbox tool that be used to get this information as follows:
wpr.exe -providers
Output can be filtered on the type of events that are of interest. Example:
PS C:\> wpr.exe -providers | select-string "Storage"
595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e : Microsoft-Windows-StorageManagement-WSP-Host
595f7f52-c90a-4026-a125-8eb5e083f15e : Microsoft-Windows-StorageSpaces-Driver
69c8ca7e-1adf-472b-ba4c-a0485986b9f6 : Microsoft-Windows-StorageSpaces-SpaceManager
7e58e69a-e361-4f06-b880-ad2f4b64c944 : Microsoft-Windows-StorageManagement
88c09888-118d-48fc-8863-e1c6d39ca4df : Microsoft-Windows-StorageManagement-WSP-Spaces
Record traces from a single ETW Provider
The new Event Tracing Management cmdlets can used for this. Below is an example workflow.
Create and start the trace, specifying a file name for storing the events.
PS C:\> New-EtwTraceSession -Name "ExampleTrace" -LocalFilePath c:\etrace.etl
Add a provider GUID to the trace. Use wpr.exe -providers for Provider Name to GUID translation.
PS C:\> wpr.exe -providers | select-string "Kernel-Memory"
d1d93ef7-e1f2-4f45-9943-03d245fe6c00 : Microsoft-Windows-Kernel-Memory
PS C:\> Add-EtwTraceProvider -Guid "{d1d93ef7-e1f2-4f45-9943-03d245fe6c00}" -SessionName "ExampleTrace"
Remove the trace — this stops the trace session, flushing events to the associated log file.
PS C:\> Remove-EtwTraceSession -Name "ExampleTrace"
PS C:\> dir .\etrace.etl
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2016 11:17 AM 16515072 etrace.etl
Note that while the example above shows adding a single trace provider to the session, the Add-EtwTraceProvider cmdlet can be executed multiple times on a trace session with different provider GUIDs to enable tracing from multiple sources. Another alternative is to use wpr.exe profiles described below.
Record traces from multiple ETW Providers
Windows Performance Recorder’s -profiles option enables tracing from multiple providers at the same time. You can choose from a number of builtin profiles like CPU, Network, DiskIO etc.
PS C:\Users\Administrator\Documents> wpr.exe -profiles
Microsoft Windows Performance Recorder Version 10.0.14393 (CoreSystem)
Copyright (c) 2015 Microsoft Corporation. All rights reserved.
GeneralProfile First level triage
CPU CPU usage
DiskIO Disk I/O activity
FileIO File I/O activity
Registry Registry I/O activity
Network Networking I/O activity
Heap Heap usage
Pool Pool usage
VirtualAllocation VirtualAlloc usage
Audio Audio glitches
Video Video glitches
Power Power usage
InternetExplorer Internet Explorer
EdgeBrowser Edge Browser
Minifilter Minifilter I/O activity
GPU GPU activity
Handle Handle usage
XAMLActivity XAML activity
HTMLActivity HTML activity
DesktopComposition Desktop composition activity
XAMLAppResponsiveness XAML App Responsiveness analysis
HTMLResponsiveness HTML Responsiveness analysis
ReferenceSet Reference Set analysis
ResidentSet Resident Set analysis
XAMLHTMLAppMemoryAnalysis XAML/HTML application memory analysis
UTC UTC Scenarios
DotNET .NET Activity
WdfTraceLoggingProvider WDF Driver Activity
You can also author your own custom profiling configuration to record performance data from exactly the sources you desire. While the process of creating a custom profile is a little involved, it does provide a lot of flexibility and reusability. Detailed guidance on creating custom profiles is at the WPR.exe documentation
Record ETW traces during OS boot
Sometimes there is a need to record performance events early during boot, this is when the cmdlet New-AutologgerConfig comes in handy. Usage is very similar to New-EtwTraceSession cmdlet, just that providers added to the Autologger’s config will only enabled early at next boot. The overall workflow looks like this:
First, create a new Autologger config.
PS C:\> New-AutologgerConfig -Name "BootPnpLog" -LocalFilePath c:\bootpnp.etl
Add a ETW provider to it. In the example below we use the Kernel PnP provider. You invoke Add-EtwTraceProvider again, specifying the same Autologger name but a different GUID to enable boot trace collection from multiple sources.
Add-EtwTraceProvider -Guid "{9c205a39-1250-487d-abd7-e831c6290539}" -AutologgerName BootPnpLog
Note that this does not start an ETW session immediately, but rather configures one to start at next boot. After rebooting, a new ETW session with the Autologger config name is automatically started with the added trace providers enabled. After Nano Server boots up, you can stop the trace session with following command. This will stop the trace session after flushing the logged events to the associated trace file.
PS C:\> Remove-EtwTraceSession -Name BootPnpLog
If you don’t want another trace session to be auto-created at next boot, the Autologger config can be removed.
PS C:\> Remove-AutologgerConfig -Name BootPnpLog
If you need to collect boot and setup traces across a fleet of systems or on a diskless system, consider using Setup and Boot Event Collection — a new feature in Windows Server 2016 that also supports Nano Server targets.
Capture Performance Counter data
Another popular way to gauge how well the OS, application or driver is performing is to use Performance Counters. Usually, this data is consumed via the perfmon GUI. Typeperf.exe is its command-line equivalent that is supported on Nano Server. Below is simple example to illustrate its usage.
Query available Counters; output can be filtered to easily find the ones of interest.
PS C:\> typeperf.exe -q | Select-String "UDPv6"
\UDPv6\Datagrams/sec
\UDPv6\Datagrams Received/sec
\UDPv6\Datagrams No Port/sec
\UDPv6\Datagrams Received Errors
\UDPv6\Datagrams Sent/sec
You can specify the number of times and the interval at which Counter values are snapped. In the example below, Processor Idle Time is snapped 5 times every 3 seconds.
PS C:\> typeperf.exe "\Processor Information(0,0)\% Idle Time" -si 3 -sc 5
"(PDH-CSV 4.0)","\\venkat-ns-g2\Processor Information(0,0)\% Idle Time"
"09/15/2016 09:20:56.002","99.982990"
"09/15/2016 09:20:59.002","99.469634"
"09/15/2016 09:21:02.003","99.990081"
"09/15/2016 09:21:05.003","99.990454"
"09/15/2016 09:21:08.003","99.998577"
Exiting, please wait...
The command completed successfully.
Other command line options allow specifying Counter names of interest in a config file, redirecting output to a log file etc. Refer to the typeperf.exe documentation for details.
If you prefer using the Perfmon GUI for visualization, you can use it remotely with Nano Server targets. When adding Counters to the view, specify the Nano Server target in the computer name instead of the default .
Interact with the Windows Event Log
Nano Server supports the Get-WinEvent cmdlet, which provides powerful Windows Event Log filtering and querying capabilities, both locally as well as on a remote machine. Detailed options and examples are available at the Get-WinEvent documentation page. In the simple example below, we retrieve the Errors noted in the System log during the past two days.
PS C:\> $StartTime = (Get-Date) - (New-TimeSpan -Day 2)
PS C:\> Get-WinEvent -FilterHashTable @{LogName='System'; Level=2; StartTime=$StartTime} | select TimeCreated, Message
TimeCreated Message
----------- -------
9/15/2016 11:31:19 AM Task Scheduler service failed to start Task Compatibility module. Tasks may not be able to reg...
9/15/2016 11:31:16 AM The Virtualization Based Security enablement policy check at phase 6 failed with status: {File...
9/15/2016 11:31:16 AM The Virtualization Based Security enablement policy check at phase 0 failed with status: {File...
Nano Server also supports wevtutil.exe which allows you to retrieve information about event logs and publishers. Refer to wevtutil.exe documentation for more details.
If you love GUIs, we’ve got you covered as well. Web-based Server management tools can be used to remotely manage Nano Server targets and present a Nano Server Event Log via a web browser. Finally, if familiarity trumps all, you can still use the trusty old Event Viewer (eventvwr.msc) to view logs — just open it on a machine with a desktop and point it to a remote Nano Server machine!
Feedback appreciated
That’s it for this post, hope you found it useful. As always, please be generous with your feedback and let us know if you would like to see any scenario or favorite perf tool enabled to make Nano Server even better!
Comments
- Anonymous
September 20, 2016
The comment has been removed - Anonymous
September 21, 2016
That's an excellent post, thank you. There's one thing I wonder is why at Microsoft you still continue to provide cmdline utilities? Why Powershell is not the primary target? I would love to see typeperf.exe implemented as a Powershell module.- Anonymous
September 21, 2016
Thanks Arnaud, feedback noted!
- Anonymous
- Anonymous
February 24, 2017
Does Nano server support Windows Event Forwarding? As a source connecting to a Windows Event Collector subscription? - Anonymous
June 20, 2017
how do I Add a profile?Add-EtwTraceProvider "CPU" -SessionName "ExampleTrace" does not work...