How to enable Exchange User Monitor tracing via the command line

  • Article

For troubleshooting Exchange user performance related issues or to help plan your design for Exchange 2007, Exchange User Monitor (Exmon) is a great utility to have in your tool bag and contains a wealth of knowledge on your current user activities. Exmon has been previously talked about at https://msexchangeteam.com/archive/2005/04/06/403409.aspx and some FAQs regarding the tool can be seen at https://msexchangeteam.com/archive/2005/06/13/406276.aspx. There is also another link which is much harder to find at https://technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx which explains how to use the tool in much greater detail.

Exmon tracing uses the ETW (Event Tracing for Windows) facility of Windows to send internal application event data to .etl files for later analysis. Detailed information regarding this tracing can be found in the Windows DDK at https://msdn2.microsoft.com/en-us/library/aa468736.aspx and also in https://msdn2.microsoft.com/en-us/library/aa363668.aspx

ETW tracing uses event providers that were specifically written for an application or driver and can be referenced either by its name or by its GUID. To view a list of current providers, run logman query providers from a command prompt which will give you a list similar to the below screenshot.

image 

Notice the Exchange Information Store provider with its GUID of 2EACCEDF-8648-453e-9250-27F0069F71D2. This is the provider that ExMon uses for its tracing and is also the information that is needed later on this article to enable ETW tracing from a command line. Please note that this article will work on Exchange 2003 or Exchange 2007 servers as the provider GUID has not changed.

Prerequisite

Before enabling ExMon tracing, the following registry keys must be added to the registry to allow Exmon to collect data in the ETL file.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem]
"RpcEtwTracing"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Trace]
"UsePerformanceClock"=dword:00000001

To enable tracing on any given server, there is essentially 2 methods that can be used to create and start/stop Exmon tracing.

Method 1

Tracelog

1. Download and install tracelog from https://www.microsoft.com/downloads/details.aspx?FamilyID=55E51B3B-6C26-4CA0-ABF1-0E51D92B8298&displaylang=en

2. Create a directory called Tracing (ex. C:\tracing)

3. Copy tracelog.exe to this directory from the default install location of c:\program files\Resource Kit.

4. Create a start_tracing.cmd file and add the following information to the file. Save this to the location created in Step 2.

tracelog.exe -start Exmon_Trace -f c:\Tracing\Exmon_trace.etl -seq 3500 -guid control.guid

5. Create a stop_tracing.cmd file and add the following information to the file. Save this to the location created in Step 2.

tracelog.exe -stop Exmon_Trace

6. Create a control.guid file and then add the appropriate GUID for Exmon tracing. Note: This GUID should be the only piece of information in this file. Save this to the location created in Step 2.

2EACCEDF-8648-453e-9250-27F0069F71D2

7. To verify if these batch files work successfully, run start_tracing.cmd and then run tracelog -l and look for an entry call Exmon_Trace. If this is found in the list, then the tracing has been enabled as shown below.

image

8. Run stop_tracing.cmd to stop the tracing.

Method 2

Logman (Built in to the OS)

---------------

1. Create a directory called Tracing (ex. C:\tracing)

2. Create the trace log using the "Exchange Information Store" provider that Exmon tracing uses. The GUID or the name of the provider can be used as shown below.
logman create trace Exmon_Trace -p {2EACCEDF-8648-453e-9250-27F0069F71D2} -nb 3 25 -bs 3 -o c:\Tracing\

logman create trace Exmon_Trace -p "Exchange Information Store" -nb 3 25 -bs 3 -o c:\Tracing\

3. Create a start_tracing.cmd file and add the following information to the file. Save this to the location created in Step 1.

Logman start Exmon_Trace

4. Create a stop_tracing.cmd file and add the following information to the file. Save this to the location created in Step 2.
logman stop Exmon_Trace

To create a schedule to start/stop these batch files at a particular time that you would like to specify, you could use the schtasks.exe command to do this. For more information on schtasks.exe syntax, follow the steps in https://support.microsoft.com/?id=814596 .

Mike