How to pull the information that Resource Monitor (ResMon.exe) provides?
Windows Server 2008
Windows Server 2008 R2
A common question that we get asked is how to pull the information that Resource Monitor (ResMon.exe) provides.
In ResMon, we are able to see the following five (5) tabs:
Processes with Disk Activity
Processes with Network Activity
How do you capture these set of data for consumption?
All of these are ETW data that is collected and outputed on a nice visual tool.
To be able to view the ETW providers that are running when you fire off Resmon, just open Perfmon.
Performance Data Collector Sets WDC.GUID
Note: Where the guid is different for different systems.
Inside of the of WDC.GUID Event Trace Session , we see that the following ETW providers are collected:
Note: 0x10 denotes Kernel_File_Keyword_Filename
Note:0x20 denotes WinEvent_Keyword_Thread
And their buffer size is set this way:
64KB Buffer size
16 Minimum buffers
38 Maximum buffers
So, this is looking good for me since ETW providers are something that I could collect using many different on/off (Controller/Consumer) tools such as:
TraceLog.exe (Controller) (SDK)
TraceRpt.exe (Consumer) (SDK)
XPerf (Controller) (WPT)
XPerfView (Consumer) (WPT)
In this segment, I ll just go thru setting up via Logman.
Start, Run, CMD (Run as admin)
logman start WDC -p
logman start WDC -p Microsoft-WIndows-Kernel-Disk 0xffffffffffffffff 0xff -bs 64 -nb 16 38 -max 10 -ets
logman start WDC -p Microsoft-Windows-Kernel-File 0x10 0xff -bs 64 -nb 16 38 -max 10 -ets
logman start WDC -p Microsoft-Windows-Kernel-Process 0x20 0xff -bs 64 -nb 16 38 -max 10 -ets
-mode trace_mode Event Trace Session logger mode. For more
-ln logger_name Logger name for Event Trace Sessions.
-[-]p provider [flags [level]] A single Event Trace provider to enable.
The terms Flags and Keywords are
synonymous in this context.
-pf filename File listing multiple Event Trace providers
-[-]rt Run the Event Trace Session in real-time mode.
-bs value Event Trace Session buffer size in kb.
-nb min max Number of Event Trace Session buffers.
-[-]max value Maximum log file size in MB or number of
records for SQL logs.
-o path|dsn!log Path of the output log file or the DSN and
log set name in a SQL database. The default
path is %systemdrive%\PerfLogs\Admin .
-[-]v nnnnnn|mmddhhmm Attach file versioning information to the
end of the log name.
-ets Send commands to Event Trace Sessions
directly without saving or scheduling.
But we don t want to run four (4) different trace sessions to collect the one (1) WDC trace session.
I went ahead and created a new file in Notepad called WDC_Providers.txt which contained the following 4 lines:
Microsoft-WIndows-Kernel-Disk 0xffffffffffffffff 0xff
Microsoft-Windows-Kernel-File 0x10 0xff
Microsoft-Windows-Kernel-Process 0x20 0xff
logman start WDC -pf C:\Perflogs\WDC_Providers.txt -bs 64 -nb 16 38 -max 10 -ets
which works fine.
Now, we just need to clean up a little bit such as putting the output directory of the file, and the trace mode.
logman start WDC -pf C:\Perflogs\WDC_Providers.txt -bs 64 -nb 16 38 -max 10 -mode newfile -o c:\PerfLogs\output%d.etl -ets
If you want to stop
You should have an .etl file in c:\perflogs.