What is PerfMonitor?

PerfMonitor is a tool for collecting and accessing windows tracing information (also known as Event Tracing for Windows or ETW). Built into many parts of windows including the kernel and the .NET Common Language Runtime (CLR) are logging routines that will generate very detailed information about what the computer is doing. PerfMonitor is a tool that allows you to turn this logging on (on a machine wide basis) and collect the data into Event Trace Log (ETL) files. PerfMonitor also allows you to convert the binary ETL files to an XML file. See PerfMonitor for more on donloading the tool or the Download page for getting the binary.

Quick Start

Perhaps the fastest way to get a sence of the kind of data that is available using PerfMonitor is to quickly collect some. Try the command:

     perfMonitor /stacks runPrint perfMonitor list


This command tells perfMonitor to:

You can then browse the data using a text editor, or an XML viewer. Because the XML files tend to be very large, it is NOT recommended that you display the data using internet explorer (notepad is better) By browsing the file you will see the wealth of detailed information that was collected including:

In short, if you want detailed data on what your computer is doing, ETW can give it to you.

Analyzing data

In addition to the 'print' functionality, PerfMonitor has a few simple analysis built into it. The simplest is the 'stat's command that gives you the counts of various events that ETW collected. It is useful to see 'what data is out there' and to diagnose issues with data collection (am I getting the events I expect).
     perfMonitor stats


Perfmonitor also has a number of CLR specific analyses it can do. In particular it has summarys of the .NET runtime garbage collector as well as Just In Time compiler. For example the command
     perfMonitor gcTime

Will give you detailed information on what was going on in the GC for every process that loaded the runtime. It will give number of collections (and of what type), amount of memory allocated, heap sizes before an after collection, pause times and other information related to the .NET Garbage collector. Simmilarly the command
     perfMonitor jitTime

Will tell you every method you Just in Time compiled of every application that was running during the collection interfval, and what DLL it came from. On V4.0 runtimes, it will also tell you the amount of time spent generating that code. This can be used to quickly determine whether the NGEN.EXE tool would be helpful for your application.

More options for collect data

One of major functions of PerfMonitor is to provide a mechanism for users to control the collection of ETW data by acting as an ETW Controller. This is exposed in the following PerfMonitor commands:

For those that are familiar with XPerf, the collection functionality of XPERF and PerfMonitor are very simmilar. The start command turns on (machine wide) logging, and the stop command turns logging off. Only one session can be on simultaneously. If you try to start a session when one is already started, it closes the existing session and opens a new one. The effect of turning on a session is immediate and takes effect on live processes as well as new processes that are created. A filename can be specified (suggested extension is .ETL), but it will default to 'perfMonitorOutput.etl if not provided. ETW allows a huge array of events to be turned on, which can be a daunting task, so perfMonitor simplifies this by choosing a good set of default events, that are useful in a broad variety of performance investigations but are not too expensive to collect. This includes OS kernel operations associated with processes, threads, DLLs, page faults, diskIO, and CPU sampling as well as CLR events associated with Garbage Collections, the CLR Thread pool, lock contention, exceptions, and compilation of managed code to native code.

Due to a limitation in implementation, kernel event cannot be collected into the same ETL file as all other events. PerfMonitor works around this by making two separate files (e.g. *.etl and *.kernel.etl). Whenever it is manipulating etl files, it looks for the *.kernel.etl 'shadow' file and combines the two files into one when doing its processing. Thus typically perfMonitor generates two files.

PerfMonitor supports the following options for fine tuning the data collected

These options only have an effect if the Kernel provider is turned on (that is /noKernel was NOT specified);

Once started, the ETW session created by 'perfMonitor start' will live until it is explictly stopped with 'perfMontior stop'. It is relatively easy for a session to be left running accidentially (eg when a script fails and does not call 'perfMonitor stop'), so perfmonitor provide the following command:

This command starts monitoring, runs a command, and stops monitoring. It has error handling so that in most cases it will not leave monitoring on (eg if you hit Ctrl-C it will stop monitoring before exiting). However if perfMonitor is terminated by an external agent (eg from Task manager), it won't be able to do this cleanup. Generally it is safer and more convinient to use the run command when you can do so.