Windows Performance Monitor

Windows Performance Monitor (perfmon) is a Microsoft Management Console (MMC) snap-in that provides real-time and historical performance data for Windows systems. It exists because administrators and support technicians need a way to quantify system performance—not just feel it. Without perfmon, you'd rely on subjective observations like 'the computer feels slow.' Performance Monitor replaces guesswork with objective metrics called performance counters. Each counter measures a specific aspect of system activity: processor utilization, memory usage, disk I/O, network throughput, and more. The tool is built into all modern Windows editions (Windows 10, 11, Server 2016/2019/2022) and is accessible from the Administrative Tools folder or by running perfmon from the command line.

Performance Monitor doesn't 'watch' the system in real time by intercepting every operation. Instead, it relies on the Windows Performance Counter infrastructure. Performance counters are provided by system components (kernel, drivers, services) that expose data through a standardized API. When you add a counter in Performance Monitor, the tool queries that API at a specified interval (default 1 second for live view, configurable for logging). The query returns a numeric value—for example, \Processor(_Total)\% Processor Time returns the percentage of time the processor was busy executing non-idle threads during the sample interval.

Here's the key mechanism: counters are either instantaneous (snapshot at the moment of query) or averaged over the sample interval. For instance, \Memory\Available MBytes is instantaneous—it reports how many megabytes of RAM are immediately available at that second. In contrast, \Processor(_Total)\% Processor Time is an average over the last sample interval. The system calculates it by measuring how much of the interval was spent in the idle thread versus active threads.

Performance Monitor can operate in three modes: - Real-time monitoring: Displays counters as line graphs, histograms, or numeric reports. Data is sampled every second by default, but you can change the sample interval in the properties. - Data Collector Sets (DCS): A collection of counters, sampling intervals, and file locations for logging. You can create a DCS to log performance data to a file (.blg binary log or .csv text). This is essential for historical analysis. - Reports: After a DCS runs, you can view the logged data as a report. Performance Monitor also includes pre-built System Diagnostics and System Performance reports that collect data for a specified duration (default 60 seconds) and generate an HTML report with analysis.

#### Performance Counters

There are thousands of counters, but the 220-1102 exam focuses on a handful. Memorize these:

- Processor: - \Processor(_Total)\% Processor Time: Total CPU utilization across all cores. Sustained >85% indicates a CPU bottleneck. - \Processor(_Total)\% Interrupt Time: Time spent handling hardware interrupts. High values (>15%) suggest a failing hardware device or driver. - Memory: - \Memory\Available MBytes: Amount of physical RAM available for allocation. Below 10% of total RAM indicates memory pressure. - \Memory\Pages/sec: Rate at which pages are read from or written to disk to resolve hard page faults. High values (>1000) indicate excessive paging (memory bottleneck). - Disk: - \PhysicalDisk(_Total)\% Disk Time: Percentage of time the disk was busy servicing read/write requests. Sustained >90% indicates a disk bottleneck. - \PhysicalDisk(_Total)\Avg. Disk Queue Length: Number of I/O requests waiting for the disk. Should be <2 per spindle (for HDDs); for SSDs, queue length can be higher but still indicates congestion if >2 per physical disk. - Network: - \Network Interface(*)\Bytes Total/sec: Total bytes sent and received per second. Compare to the interface bandwidth (e.g., 1 Gbps = 125 MB/s). Sustained >80% suggests a network bottleneck.

#### Data Collector Sets

A Data Collector Set bundles performance counters, sampling intervals, and schedule into a reusable package. Key defaults:

#### Built-in Reports

To open Performance Monitor: - GUI: Start > Administrative Tools > Performance Monitor, or type perfmon in Run. - Command line: perfmon /res opens Resource Monitor (a subset of performance data). perfmon /rel opens Reliability Monitor (shows system stability over time). - MMC: perfmon /sys opens the Performance Monitor snap-in in a new MMC console.

To create a Data Collector Set from the command line, use logman:

logman create counter MyPerfLog -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" -o "C:\PerfLogs\MyLog.blg" -f bincirc -si 15 -v mmddhhmm

This creates a circular binary log that collects those two counters every 15 seconds, with automatic file naming based on month/day/hour/minute.

To start and stop a DCS:

logman start MyPerfLog
logman stop MyPerfLog

To view the log as a report:

Performance Monitor is closely related to: - Task Manager: Provides a quick snapshot of current CPU, memory, disk, and network usage. Performance Monitor offers deeper historical analysis. - Resource Monitor (resmon): Shows real-time data with per-process breakdowns for CPU, memory, disk, and network. Accessible from Performance Monitor's toolbar or by running resmon. - Reliability Monitor (perfmon /rel): Tracks system stability over time, marking critical events (crashes, hangs) and application failures. Useful for correlating performance degradation with system changes. - Event Viewer: Performance Monitor can trigger Data Collector Sets based on events. For example, you can configure a DCS to start when a specific event ID is logged. - Windows Performance Toolkit (WPT): Part of the Windows Assessment and Deployment Kit (ADK), used for advanced performance analysis (e.g., boot performance, application launch). Not on the 220-1102 exam but good to know.

The 220-1102 exam will present a symptom (e.g., 'System is slow when opening applications') and ask which counter to check. The correct answer is typically \Memory\Pages/sec for memory pressure, \PhysicalDisk\Avg. Disk Queue Length for disk bottleneck, or \Processor\% Processor Time for CPU. Another common question: 'Which tool allows you to log performance data over time?' Answer: Data Collector Set. 'Which command opens Performance Monitor?' Answer: perfmon. 'Which counter indicates memory pressure?' Answer: \Memory\Available MBytes (when low) or \Memory\Pages/sec (when high).

A company runs 500 virtual desktops on a VMware vSphere cluster with Windows 10 VMs. Users complain of slow logins and application launches between 8:00 AM and 9:00 AM. The IT team suspects a storage bottleneck. They deploy a Data Collector Set on a representative VDI host logging the following counters every 10 seconds: \PhysicalDisk(_Total)\% Disk Time, \PhysicalDisk(_Total)\Avg. Disk Queue Length, \Memory\Pages/sec, and \Network Interface(*)\Bytes Total/sec. After a week of logging, they analyze the reports and discover that Avg. Disk Queue Length exceeds 10 per physical disk during the login storm, while % Disk Time is 100% but the disks are SSDs (so % Disk Time is not a reliable indicator). The team identifies that the storage array's 10 Gbps links are saturated, causing queuing. They upgrade the links to 25 Gbps and add more SSDs. Performance Monitor provided the evidence needed to justify the hardware investment. Misconfiguration pitfall: Setting the sample interval too high (e.g., 1 hour) would miss the 30-minute login spike entirely. Setting it too low (e.g., 1 second) would generate gigabytes of data per day, overwhelming the log file size limit.

A financial firm has a Windows Server 2019 running a proprietary trading application. Over time, the server's memory usage grows until the system becomes unresponsive, requiring a reboot every two weeks. The support team uses Performance Monitor to create a Data Collector Set that logs \Process(MyApp)\Working Set, \Memory\Available MBytes, and \Memory\Pages/sec every 5 minutes for 24/7 logging. After a few days, the report shows that the application's Working Set increases steadily while Available MBytes drops from 8 GB to 512 MB over 10 days. Pages/sec spikes when Available MBytes falls below 1 GB. The team identifies a memory leak in the application and contacts the vendor for a patch. In the meantime, they configure a scheduled task to restart the application service daily. Performance Monitor's logging capability was essential for proving the leak over time. Common mistake: Using real-time monitoring instead of logging would require someone to watch the screen for days, which is impractical. The exam expects you to know that Data Collector Sets are for long-term data collection.

A school district's network becomes slow every afternoon when students access streaming video. The network administrator runs Performance Monitor on a domain controller and a file server, logging \Network Interface(*)\Bytes Total/sec and \Network Interface(*)\Packets/sec every 15 seconds. The report shows that the network interface on the file server is saturated (Bytes Total/sec consistently at 125 MB/s for a 1 Gbps link) between 1:00 PM and 3:00 PM. The admin uses this data to implement Quality of Service (QoS) policies to limit streaming traffic and upgrade the link to 10 Gbps. Performance Monitor provided the historical data needed to justify the upgrade. A common pitfall: Forgetting to log the correct network interface—on servers with multiple NICs, the counter must be selected per interface, not the _Total instance (which may sum all interfaces and overestimate utilization).