Performance data collection on Nano Server

Event tracing and Performance Counters in Windows are powerful mechanisms to debug failures, understand system behavior and improve performance. Nano Server fully supports the Event Tracing for Windows (ETW) framework, but some familiar tools used to manage tracing and performance counters may not yet be available on Nano Server. Happily, Nano Server has inbox tools and cmdlets to accomplish most common performance analysis scenarios. It just may entail using different commands and workflows than you may be used to.

Note that the high-level workflow remains the same as before — low-overhead tracing is performed on the Target (Nano Server) machine, and the resulting trace files and/or logs are post-processed offline on a separate machine using tools like the Windows Performance Analyzer, Message Analyzer, or others. This post primarily focuses on methods to record performance data without requiring any additional tools that are not part of the Nano image.

Refer to the how to copy files to and from Nano Server guide for a refresher on how to transfer files using PowerShell remoting

While it doesn’t cover every scenario, the table below lists the most common performance data collection activities along with a supported way to accomplish them on Nano Server. Click the links in the 2nd column to jump to the section with additional notes on usage.

Activity Nano Server supported
Query available Event Providers wpr.exe -providers
Record traces from a single ETW Provider Event Tracing cmdlets
Record traces from multiple ETW Providers wpr.exe -profiles
Record ETW traces during OS boot Event Tracing cmdlets
Capture Performance Counter data typeperf.exe
Interact with the Windows Event Log Get-WinEvent

Query available Event Providers

The Windows Performance Recorder is an inbox tool that be used to get this information as follows:

 wpr.exe -providers

Output can be filtered on the type of events that are of interest. Example:

PS C:\> wpr.exe -providers | select-string "Storage"

 595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e : Microsoft-Windows-StorageManagement-WSP-Host
 595f7f52-c90a-4026-a125-8eb5e083f15e : Microsoft-Windows-StorageSpaces-Driver
 69c8ca7e-1adf-472b-ba4c-a0485986b9f6 : Microsoft-Windows-StorageSpaces-SpaceManager
 7e58e69a-e361-4f06-b880-ad2f4b64c944 : Microsoft-Windows-StorageManagement
 88c09888-118d-48fc-8863-e1c6d39ca4df : Microsoft-Windows-StorageManagement-WSP-Spaces

Record traces from a single ETW Provider

The new Event Tracing Management cmdlets can used for this. Below is an example workflow.

Create and start the trace, specifying a file name for storing the events.

 PS C:\> New-EtwTraceSession -Name "ExampleTrace" -LocalFilePath c:\etrace.etl

Add a provider GUID to the trace. Use wpr.exe -providers for Provider Name to GUID translation.

PS C:\> wpr.exe -providers | select-string "Kernel-Memory"

d1d93ef7-e1f2-4f45-9943-03d245fe6c00 : Microsoft-Windows-Kernel-Memory

PS C:\> Add-EtwTraceProvider -Guid "{d1d93ef7-e1f2-4f45-9943-03d245fe6c00}" -SessionName "ExampleTrace"

Remove the trace — this stops the trace session, flushing events to the associated log file.

PS C:\> Remove-EtwTraceSession -Name "ExampleTrace"

PS C:\> dir .\etrace.etl

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2016  11:17 AM       16515072 etrace.etl

Note that while the example above shows adding a single trace provider to the session, the Add-EtwTraceProvider cmdlet can be executed multiple times on a trace session with different provider GUIDs to enable tracing from multiple sources. Another alternative is to use wpr.exe profiles described below.

Record traces from multiple ETW Providers

Windows Performance Recorder’s -profiles option enables tracing from multiple providers at the same time. You can choose from a number of builtin profiles like CPU, Network, DiskIO etc.

PS C:\Users\Administrator\Documents> wpr.exe -profiles

Microsoft Windows Performance Recorder Version 10.0.14393 (CoreSystem)
Copyright (c) 2015 Microsoft Corporation. All rights reserved.

        GeneralProfile              First level triage
        CPU                         CPU usage
        DiskIO                      Disk I/O activity
        FileIO                      File I/O activity
        Registry                    Registry I/O activity
        Network                     Networking I/O activity
        Heap                        Heap usage
        Pool                        Pool usage
        VirtualAllocation           VirtualAlloc usage
        Audio                       Audio glitches
        Video                       Video glitches
        Power                       Power usage
        InternetExplorer            Internet Explorer
        EdgeBrowser                 Edge Browser
        Minifilter                  Minifilter I/O activity
        GPU                         GPU activity
        Handle                      Handle usage
        XAMLActivity                XAML activity
        HTMLActivity                HTML activity
        DesktopComposition          Desktop composition activity
        XAMLAppResponsiveness       XAML App Responsiveness analysis
        HTMLResponsiveness          HTML Responsiveness analysis
        ReferenceSet                Reference Set analysis
        ResidentSet                 Resident Set analysis
        XAMLHTMLAppMemoryAnalysis   XAML/HTML application memory analysis
        UTC                         UTC Scenarios
        DotNET                      .NET Activity
        WdfTraceLoggingProvider     WDF Driver Activity

You can also author your own custom profiling configuration to record performance data from exactly the sources you desire. While the process of creating a custom profile is a little involved, it does provide a lot of flexibility and reusability. Detailed guidance on creating custom profiles is at the WPR.exe documentation

Record ETW traces during OS boot

Sometimes there is a need to record performance events early during boot, this is when the cmdlet New-AutologgerConfig comes in handy. Usage is very similar to New-EtwTraceSession cmdlet, just that providers added to the Autologger’s config will only enabled early at next boot. The overall workflow looks like this:

First, create a new Autologger config.

 PS C:\> New-AutologgerConfig -Name "BootPnpLog" -LocalFilePath c:\bootpnp.etl

Add a ETW provider to it. In the example below we use the Kernel PnP provider. You invoke Add-EtwTraceProvider again, specifying the same Autologger name but a different GUID to enable boot trace collection from multiple sources.

 Add-EtwTraceProvider -Guid "{9c205a39-1250-487d-abd7-e831c6290539}" -AutologgerName BootPnpLog

Note that this does not start an ETW session immediately, but rather configures one to start at next boot. After rebooting, a new ETW session with the Autologger config name is automatically started with the added trace providers enabled. After Nano Server boots up, you can stop the trace session with following command. This will stop the trace session after flushing the logged events to the associated trace file.

 PS C:\> Remove-EtwTraceSession -Name BootPnpLog

If you don’t want another trace session to be auto-created at next boot, the Autologger config can be removed.

 PS C:\> Remove-AutologgerConfig -Name BootPnpLog

If you need to collect boot and setup traces across a fleet of systems or on a diskless system, consider using Setup and Boot Event Collection — a new feature in Windows Server 2016 that also supports Nano Server targets.

Capture Performance Counter data

Another popular way to gauge how well the OS, application or driver is performing is to use Performance Counters. Usually, this data is consumed via the perfmon GUI. Typeperf.exe is its command-line equivalent that is supported on Nano Server. Below is simple example to illustrate its usage.

Query available Counters; output can be filtered to easily find the ones of interest.

PS C:\> typeperf.exe -q | Select-String "UDPv6"

\UDPv6\Datagrams Received/sec
\UDPv6\Datagrams No Port/sec
\UDPv6\Datagrams Received Errors
\UDPv6\Datagrams Sent/sec

You can specify the number of times and the interval at which Counter values are snapped. In the example below, Processor Idle Time is snapped 5 times every 3 seconds.

PS C:\> typeperf.exe "\Processor Information(0,0)\% Idle Time" -si 3 -sc 5

"(PDH-CSV 4.0)","\\venkat-ns-g2\Processor Information(0,0)\% Idle Time"
"09/15/2016 09:20:56.002","99.982990"
"09/15/2016 09:20:59.002","99.469634"
"09/15/2016 09:21:02.003","99.990081"
"09/15/2016 09:21:05.003","99.990454"
"09/15/2016 09:21:08.003","99.998577"
Exiting, please wait...
The command completed successfully.

Other command line options allow specifying Counter names of interest in a config file, redirecting output to a log file etc. Refer to the typeperf.exe documentation for details.

If you prefer using the Perfmon GUI for visualization, you can use it remotely with Nano Server targets. When adding Counters to the view, specify the Nano Server target in the computer name instead of the default .

Interact with the Windows Event Log

Nano Server supports the Get-WinEvent cmdlet, which provides powerful Windows Event Log filtering and querying capabilities, both locally as well as on a remote machine. Detailed options and examples are available at the Get-WinEvent documentation page. In the simple example below, we retrieve the Errors noted in the System log during the past two days.

PS C:\> $StartTime = (Get-Date) - (New-TimeSpan -Day 2)
PS C:\> Get-WinEvent -FilterHashTable @{LogName='System'; Level=2; StartTime=$StartTime} | select TimeCreated, Message

TimeCreated Message
----------- -------
9/15/2016 11:31:19 AM Task Scheduler service failed to start Task Compatibility module. Tasks may not be able to reg...
9/15/2016 11:31:16 AM The Virtualization Based Security enablement policy check at phase 6 failed with status: {File...
9/15/2016 11:31:16 AM The Virtualization Based Security enablement policy check at phase 0 failed with status: {File...

Nano Server also supports wevtutil.exe which allows you to retrieve information about event logs and publishers. Refer to wevtutil.exe documentation for more details.

If you love GUIs, we’ve got you covered as well. Web-based Server management tools can be used to remotely manage Nano Server targets and present a Nano Server Event Log via a web browser. Finally, if familiarity trumps all, you can still use the trusty old Event Viewer (eventvwr.msc) to view logs — just open it on a machine with a desktop and point it to a remote Nano Server machine!

Feedback appreciated

That’s it for this post, hope you found it useful. As always, please be generous with your feedback and let us know if you would like to see any scenario or favorite perf tool enabled to make Nano Server even better!