Microsoft Exchange Server User Monitor
Topic Last Modified: 2009-01-27
Released/Updated October 2008
The Microsoft® Exchange Server User Monitor (ExMon) tool enables administrators to view and evaluate individual users' usage and experience with Microsoft Exchange Server. With this tool, administrators can gather real-time data that helps them better understand current client usage patterns and plan for future use.
Using ExMon, administrators can view the following:
IP addresses used by clients
Microsoft Office Outlook® versions and mode, such as Cached Exchange Mode and classic online mode
Outlook client-side monitoring data
Resource use, such as:
CPU usage
Server-side processor latency
Total latency for network and processing with Outlook 2003 and later versions of MAPI
Network bytes
Note
ExMon measures only MAPI traffic and load on an Exchange server. It does not include or display data about other protocols, such as Simple Mail Transfer Protocol (SMTP), Distributed Authoring and Versioning (DAV), Outlook Web Access, Post Office Protocol version 3 (POP3), or Internet Message Access Protocol version 4rev1 (IMAP4).
When to Use ExMon
ExMon enables administrators to view and analyze how individual users affect the health and performance of an Exchange server, including CPU usage and network traffic. It also enables administrators to view and analyze how those individual users' experience is affected by the server.
Note that ExMon does not report all information about server health or user experience. For example, ExMon does not report on the following factors that can affect Exchange Server performance:
Incoming unsolicited commercial e-mail (also known as spam) from the Internet
Incoming SMTP mail flow from the Internet or from other sites in your organization
Use of non-MAPI protocols for account access, such as POP3 and IMAP4
Use of mobile devices, although some Exchange ActiveSync® client traffic is included
ExMon provides an overview of individual users' behavior only. Use it with other procedures and tools that are recommended by Microsoft.
Installation
To collect data, ExMon can be installed on either Exchange 2000 Server SP2 and later versions, Exchange Server 2003 SP1 and later versions, or Exchange Server 2007 SP1 and later versions. You can collect data that is relevant to the Exchange server on which ExMon is installed.
To view data, you do not need to install ExMon on an Exchange server. If the input file that you want to read was installed on a Microsoft Windows Server™ 2003 server, you will need to install ExMon on a Windows Server 2003 server. If the input file was collected on Microsoft Windows® Server 2000, you can use ExMon that is installed on Windows Server 2003, Windows 2000 Server, or Windows XP to view the data.
To install ExMon
Double-click the Exmon Windows Installer package and follow the installation steps. By default, ExMon is installed in the Program Files\Exchange User Monitor folder for Windows Server 2003 or Windows XP installations. By default, ExMon is installed in the Program Files (x86)\Exchange User Monitor folder for Windows Vista or Windows Server 2008 installations.
Start Windows Explorer, and then locate the newly created folder.
Double-click exmon.reg to create the registry key for ExMon data collection.
Selecting a Data Collection Method
You must configure ExMon to collect data by one or more of the following methods:
Collecting data directly with ExMon
Collecting data by using System Monitor (Windows 2000 Server and Windows Server 2003 only)
Collecting data by using command-line tools
Collecting Data Directly with ExMon
Collecting data directly with ExMon is the simplest method for short-term data collection. ExMon collects data in user-configurable intervals and displays that data after collection. Collecting data directly with ExMon is most useful for quick spot checks of a server, not for large-scale or long-interval data collection. For large-scale or long-interval data collection, use the data collection methods that are described in the next sections.
To run, stop, and resume data collection in ExMon
Verify that the Microsoft Exchange Information Store service is running.
Run Exmon.exe. ExMon starts collecting data immediately in one-minute intervals and displays collected data at the end of the data interval.
Note
By default, ExMon does not permanently save collected data. It uses temporary files. See the "To change the data collection interval" procedure in this section for instructions on changing the collection interval.
To stop data collection, click File, and then click Stop. Or, click Stop Tracing on the toolbar.
To resume data collection, click File, and then click Start. Or click Start Tracing on the toolbar.
Note
The Microsoft Exchange Information Store service must be running for ExMon to successfully start tracing.
To change the data collection interval
- By using the Update Interval (min) control on the toolbar, pick a tracing interval between one and 30 minutes. To create traces longer than 30 minutes, chose a different collection mode.
Warning
Because ExMon displays trace files at every update interval, administrators should use caution on production servers. The parsing of ExMon data files can be computationally intensive and can affect Exchange performance. Large update intervals produce large files that are more likely to affect server performance.
Collecting Data By Using System Monitor
Collecting data by using System Monitor is the preferred method of data collection. Collecting data by using System Monitor enables the scheduled collection of ExMon data in a familiar interface. System Monitor enables scheduling data collection on a daily or weekly basis.
Follow these steps to collect ExMon data with System Monitor.
Important
The following procedure does not work in Windows Server 2008.
To configure a trace log
Whether you are running Windows Server 2000 or Windows Server 2003, log on to the server by using credentials that are configured as a local administrator.
Important
The account that you use to collect ExMon data must be a member of the administrative group on the Exchange server.
To start System Monitor, click Start, click Run, and then type perfmon.msc.
In the Performance console, expand Performance Logs and Alerts, and right-click Trace Logs. Select New Log Settings.
Create a descriptive name for the new log.
Under Nonsystem Providers, click Add.
Select Microsoft Exchange Information Store, and then click OK.
Provide credentials to Run As in the form DOMAIN\username. You also must provide a password by clicking Set Password.
Set other options, such as schedule and logging directory. For help in configuring these options, see System Monitor Help.
Click OK. Data collection will start according to the scheduling options that you have selected.
Collecting Data Using Command-Line Tools
Advanced users can customize and script ExMon data collection by typing commands at a command prompt.
Use the following procedures to collect ExMon data by using command-line tools.
To use the Tracelog command-line tool to collect data
Click Start, click Run, and then type cmd to open a Command Prompt window.
At the command prompt, type tracelog.exe –start “Exmon_trace” –f [Drive:][Path] OutputFileName –guid [Drive:][Path] guids.txt ExMonPath\. guids.txt refers to the full path of the Guids.txt file that was copied to the directory when you installed ExMon. Data collection will start immediately.
Note
Tracelog.exe is in the Windows\System32 directory on Windows Server 2003 and also in the Microsoft Driver Development Kit (DDK) for Windows 2000 Server. To obtain Tracelog.exe for Windows Server 2008, download the Windows Server 2008 SDK together with the .NET Framework 3.5. To obtain these programs, see Windows SDK for Windows Server 2008 and .NET Framework 3.5.
To use the Logman command-line tool to collect data
In Windows Server 2008 and Windows Server 2003 installations, you can use the Logman tool to enable tracing.
Note
This procedure must be performed from a Windows command prompt. You cannot perform this procedure from the Exchange Management Shell.
To perform this procedure, run the following command, and modify the destination path as appropriate for your environment:
logman create trace Exmon_Trace -p {2EACCEDF-8648-453e-9250-27F0069F71D2} -o c:\Tracing\exmonNote
In this command, you must add "exmon" to the destination path. This is to create the file in the appropriate subdirectory together with the correct prefix. If the specified directory does not exist, it is automatically created. However, you must run the command with the appropriate permissions to create a directory.
To use the Guids.txt file in the Logman command, run the following command:
logman create trace Exmon_Trace -o c:\Tracing\exmon -pf guids.txt
To stop Tracelog data collection
Click Start, click Run, and then type cmd to open a Command Prompt window.
At the command prompt, type tracelog.exe –stop “Exmon_Trace”, and then press ENTER.
To stop Logman data collection
Click Start, click Run, and then type cmd to open a Command Prompt window.
At the command prompt, type logman stop "Exmon_Trace", and then press ENTER.
Viewing ExMon Data
The following sections describe the three views of data in ExMon and how to view them.
Displaying Data in ExMon
Use the ExMon user interface to display data.
To view data in ExMon
Click Start, click Run, and then type cmd to open a Command Prompt window.
At the command prompt, type exmon.exe “[Drive:][Path]InputFileName”.
Description of ExMon Data Columns
By using ExMon, you can display data in the following ways.
By User View
By Version View
By Clientmon View
Displaying Data in the By User View
The By User view aggregates data about individual users' consumption of server resources. Each row in the view contains data about one user, whether that user has only one computer or is accessing Exchange Server from multiple computers. The following table shows the types of data that are displayed in the By User view.
| Column Name | Column Description |
|---|---|
User Name |
The display name of the user. Note In the case of Delegate Access or a shared mailbox, the user name corresponds to the actual user, not the mailbox. Note A blank user name indicates system usage and use of clients that have not successfully authenticated. |
Packets |
The count of remote procedure call (RPC) packets that have been processed by the server. |
Operations |
The count of operations in RPC packets. Frequently, Exchange Server assembles operations together to reduce network overhead. |
CPU Time (ms) |
The sum of processing time consumed and reported in milliseconds. 1000 milliseconds corresponds to one second of 100 percent processor utilization or to two seconds of 50 percent processor utilization (and so on). |
CPU % |
The percentage of store CPU, not total processor CPU, consumed by the user. |
Avg. Server Latency (ms) |
The average amount of time that Exchange Server spends processing, retrieving data from disk, and communicating with the Active Directory® directory service global catalogs and domain controllers. |
Max. Server Latency (ms) |
The maximum time that Exchange Server spends processing, retrieving data from disk, and communicating with Active Directory global catalogs and domain controllers. |
Bytes In |
Sum of Exchange-related data that the server receives after compression. This sum does not include TCP/IP overhead or packet retransmission. |
Bytes Out |
Sum of Exchange-related data that the server sends to the client after compression. This sum does not include TCP/IP overhead or packet retransmission. |
Client Versions |
A list of all distinct versions of MAPI clients that are used. The versions that are listed are the version of EMSMDB32.dll. |
Client IP Addresses |
A list of all distinct IP addresses that are used by MAPI clients. Note The IP addresses that are listed in this column are the IP address after any proxy servers or network address translation. They might not be the MAPI client’s actual IP address. |
Displaying Data in the By Version View
The By Version view aggregates data about the client version. This view is useful to evaluate the overall load that is generated by the various versions of MAPI clients. The following table shows the types of data that are displayed in the By Version view.
| Column Name | Column Description |
|---|---|
Version |
The version of the MAPI client. The version reported reflects the version of EMSMDB32.dll. |
Packets |
The count of RPC packets that have been processed by the server. |
Operations |
The count of operations that is contained in RPC packets. Generally, Exchange Server assembles operations together to reduce network overhead. |
CPU Time (ms) |
Sum of processing time consumed and reported in milliseconds. 1000 milliseconds corresponds to 1 second of 100 percent processor utilization or to 2 seconds of 50 percent processor utilization (and so on). |
CPU % |
The percentage of store CPU, not total processor CPU, consumed by the MAPI version. |
Avg. Server Latency (ms) |
The average amount of time that Exchange Server spends processing, retrieving data from disk, and communicating with the Active Directory global catalogs and domain controllers. |
Max. Server Latency (ms) |
The maximum time Exchange Server that spends processing, retrieving data from disk, and communicating with Active Directory global catalogs and domain controllers. |
Bytes In |
Sum of Exchange-related data that the server receives after compression. This sum does not include TCP/IP overhead or packet retransmission. |
Bytes Out |
Sum of Exchange-related data that the server sends to the client after compression. This sum does not include TCP/IP overhead or packet retransmission. |
Displaying Data in the By Clientmon View
The By Clientmon view aggregates data that helps administrators quantify individual users' experience with Outlook 2003 and later versions. The following table shows the types of data that are displayed in the By Clientmon view.
Note
Only Outlook 2003 provides data. Earlier versions of Outlook will not contribute data to this view.
| Column Name | Column Description |
|---|---|
User Name |
The display name of the user. Note For Delegate Access or a shared mailbox, the user name corresponds to the actual user, not the mailbox. Note The blank user name indicates system usage and use of clients that have not successfully authenticated. |
Succeeded RPC Count |
The count of succeeded RPC calls that client-side monitoring reports about Outlook 2003. |
Avg. Client Latency (ms) |
The average of per-RPC roundtrip times as seen by the MAPI client. This time includes all network transit, queuing, and processing time. |
Max. Client Latency (ms) |
The maximum per-RPC roundtrip time as seen by the MAPI client. This time includes all network transit, queuing, and processing time. |
Avg. Foreground Client Latency (ms) |
The average of per-RPC roundtrip times as seen by the MAPI client that will cause the Outlook user interface to stop responding. This does not include all possible scenarios that could cause Outlook to stop responding. This time includes all network transit, queuing, and processing time. Note This field requires that Exchange Server 2003 is running SP1 or later versions, and that the MAPI clients are running Outlook 2003 SP1 or later versions. |
Max. Foreground Client Latency (ms) |
The maximum per-RPC roundtrip time as seen by the MAPI client that will cause the Outlook user interface to stop responding. This does not include all possible scenarios that could cause Outlook to stop responding. This time includes all network transit, queuing, and processing time. Note This field requires that Exchange Server 2003 is running SP1 or earlier versions, and that the MAPI clients are running Outlook 2003 SP1 or earlier versions. |
Cached Mode Sessions |
The count of separate RPC connections that are using Outlook 2003 Cached Exchange Mode. Note Users who are using Cached Exchange Mode across all their computers have a Cached Exchange Mode session count that equals their session count. If a user's Cached Exchange Mode session count is less than the session count, the user is running multiple computers or is using Cached Exchange Mode and classic online access at the same time. |
Client Processes |
The list of distinct names of processes that the user uses to access Exchange Server. Outlook is reported as Outlook.exe. Third-party applications might also be listed here. An example of another application might be wcesmgr.exe, which is the ActiveSync application. ActiveSync provides synchronization to some mobile devices. |
Exporting ExMon Data
ExMon supports the export of data from all data views. It exports the data to comma-separated text files (.csv). The exported data can be used by several programs, including Microsoft Excel, Microsoft Access, and Microsoft SQL™ Server.
To export By User data to a .csv file
Click Start, click Run, and then type cmd to open a Command Prompt window.
At the command prompt, type exmon.exe –SU “[Drive:][Path]OutputFileName“ “[Drive:][Path]InputFileName”
Note
You can export multiple files at the same time by combining the –SU, -SV, and –SC options. However, you must export each one to a separate output file.
ExMon Syntax
This section provides examples of the exmon command and explanations of the parameters.
exmon.exe
exmon.exe "[Drive:][Path]InputFileName"
exmon.exe /h
exmon.exe /?
exmon.exe [/{SU|SV|SC} "[Drive:][Path]OutputFileName" "[Drive:][Path]InputFileName"
| Command Parameters | Function |
|---|---|
/? or /h |
Displays help at the command prompt |
/SU “[Drive:][Path]OutputFileName” |
Exports the By User view to a .csv file |
/SV “[Drive:][Path]OutputFileName” |
Exports the By Version view to a .csv file |
/SC “[Drive:][Path]OutputFileName” |
Exports the By Clientmon view to a .csv file |
Interpreting ExMon Data
Several factors, such as time of day, usage patterns, server load, server configuration, and server load, can cause variations in the data that is collected and displayed in ExMon. An administrator can best understand any data by comparing it with baseline data that is collected during normal operations.
The following sections describe the data that is displayed in some of the data columns and how that data reflects some of the underlying factors that could influence the overall results. To successfully work with the ExMon data, you must have a clear understanding of your Exchange deployment.
CPU Time
The data displayed in the CPU Time (ms) column represents the processing time that Store.exe requires to process all requests. Some operations require more processing than others. For example, sophisticated searches and large data exports require more processing time than viewing of a single mail item. CPU time is reported in milliseconds of processing time, which depends on the server hardware. For example, one millisecond of processing time on a 1000-MHz processor is equal to approximately two milliseconds of processing time on a 500-MHz processor.
Server Latency
The data displayed in the server latency columns documents the time that is required to process user requests. This time includes CPU processing time, time waiting for disk I/Os, and time waiting because the server is busy and is processing other user requests.
Each operation requires a different proportion of processing time and disk I/O time. Overall server latency for all user requests is reported by the Performance Monitor (Perfmon) count for averaged MSExchangeIS\RPC latency. ExMon enables you to view this data for individual users.
Individual users' server latencies can vary widely from the average. You can obtain more accurate results by gathering long traces over more than 30 minutes or even over several hours.
Client Latency
The data displayed in the Avg. Client Latency (ms) column is a superset of the CPU time and the server latency. Client latency includes not only server latency, but also any network delay that is caused by issues with the network, packet retransmission, and network bandwidth.
For users who use Outlook without Cached Exchange Mode, high client latency times directly affect how frequently Outlook is unresponsive. ExMon reports client latency for each request, while Outlook may require multiple requests to complete an operation. This means that the client latency reported by ExMon provides a lower bound to the responsiveness that users may experience. Generally, if the minimum client latency is consistently more than 100 milliseconds, the user experiences poor responsiveness in Outlook in traditional online mode. An individual client latency over five seconds invokes the Cancelable RPC dialog box in Outlook 2002 for Office XP.
Improvements in Outlook 2003 with Cached Exchange Mode help hide this latency from the user and enable site consolidation by moving many important tasks, such as reading and sending mail, to the background. When a user is using Outlook 2003 Cached Exchange Mode, consistent average client latencies of 500 milliseconds or more can be hidden from the user. With client latencies of more than 1000 milliseconds and low network bandwidth, users may benefit from Cached Exchange Mode that is configured to download only mail headers.
Foreground Client Latency
Foreground client latency is a measure of specific types of Outlook requests. These specific types are operations that are not in the background. For example, updating rules, browsing public folders, and delegate access are not optimized to use background communication. The Avg. Foreground Client Latency (ms) data informs administrators about operations that cause client unresponsiveness. To understand the overall effect on the user, make sure that you compare the approximate percentage of foreground packets to all packets.
Network Bytes
The network bytes columns document the amount of data and control codes that are sent to and from Exchange Server. This count includes only Exchange-related data and does not include data that is related to TCP/IP overheads, packet retransmission or packet loss, RPC encryption, RPC over HTTP, or Internet Protocol security (IPSec). However, it does account for compression that is used by Exchange Server 2003, and Outlook 2003 and later versions.
The amount of network traffic depends heavily on the usage profile. The Outlook message formats HTML, RTF, and plain text all vary widely in size. Also, the number and size of attachments and the time of day affects the amount of network traffic. To more accurately measure network usage, use longer monitoring periods.
Frequently Asked Questions
Q: How much disk space is required for ExMon data collection?
A: File size depends on the Exchange server load. You can estimate required file size by looking at the Perfmon counter, MSExchangeIS\RPC Operations\sec, as the file size per hour. For example, a server that has an average RPC Operations\sec of 300 requires 300 MB per hour of free space for ExMon data collection.
Q: How long should I collect ExMon data?
A: Tracing time depends on user activity and how you want to use the data. For good averages across all users, it is recommended that you collect data for at least 30 minutes during a period of expected user activity. Some client monitoring data is collected only at certain intervals. Therefore, collecting data for longer may increase the probability of more complete data. When you troubleshoot individual users and problems, traces of one to five minutes are generally sufficient.
Q: Does ExMon support non-English languages of Exchange Server 2003 or later versions and the Windows operating system?
A: Yes. ExMon can be run with any language that is supported by Exchange Server and any language that is supported by Windows. ExMon supports Unicode display names for users. However, the ExMon tool interface and documentation are available only in English.
Q: How does ExMon data collection affect Exchange server performance?
A: The effect of data collection on Exchange Server is less than a two percent increase in CPU or latency. To minimize the effect, you should not collect data on a hard disk drive that is currently being used by Exchange, such as the database, streaming, log file, or queue drives. Also note that ExMon tracing uses a Windows technology known as Event Tracing for Windows (ETW). ETW was designed especially for performance tracing and is used by core parts of Windows. As a result, the effect on the server is less than two percent additional processing time and a negligible additional latency.
Q: Because ExMon data is collected with ETW, can I write my own data parser?
A: No, you currently cannot write your own data parser. The raw data requires a significant amount of analysis to produce meaningful data.
Q: Why does ExMon display only part of a user’s display name?
A: Because of limitations in the tracing and parsing code, ExMon truncates user display names to 32 characters.
Q: Why are some data columns blank?
A: Some data columns are blank because some servers do not provide some information. ExMon can view data in Exchange Server 2000 SP2 and later versions, in Exchange Server 2003 SP1 and later versions, and in Exchange Server 2007 SP1 and later versions. Since the release of Exchange Server 2000, significant changes have been made. ExMon supports data files from all these servers, although not all the data is available. For example, the Foreground Latency column in the By Clientmon view requires Exchange Server 2003 SP1. It also requires that users also have Outlook 2003 SP1.
Q: How can I collect data on Exchange that is running on Clustering Services for Microsoft Windows?
A: Tracing ExMon data on Exchange servers that use Cluster Service is difficult because you care about collecting data for a specific virtual server instead of data from just a physical node. A cluster failover during a data collection session causes incomplete data. By collecting on shorter intervals, such as five minute intervals, on every node of the cluster, you can minimize the amount of data that is lost if there is a failover. Both System Monitor and Tracelog.exe provide functionality to create intervals based on file size instead of time. You can also write a script to run on cluster failovers, and start and stop the appropriate data collections.
Q: Why doesn't ExMon display data when I have passed in an input file?
A: You may be able to resolve this issue by performing the following tasks:
Make sure that you put the path and file name in double quotation marks if the path or file name contains a space.
ExMon must run on Windows Server 2003 or later versions if the Event Trace Log (.etl) file was collected on Windows Server 2003 or later versions.
Verify that the Exmon.reg file was applied before you began collecting data. For instructions on how to apply the Exmon.reg file, see "Installation" earlier in this document.