Sampleperfmonlog Pal Analysis 20170906161132

Analysis of "SamplePerfmonLog.
blg"
Report Generated at: 2017.09.06-16:13:06
PALv2
On This Page
Tool Parameters
Alerts by Chronological Order
o 2007.08.14-15:40:38 - 2007.08.14-15:41:38 (Alerts: 7|3)
o 2007.08.14-15:41:38 - 2007.08.14-15:42:38 (Alerts: 7|28)
o 2007.08.14-15:42:38 - 2007.08.14-15:43:38 (Alerts: 1|12)
o 2007.08.14-15:43:38 - 2007.08.14-15:44:38 (Alerts: 6|29)
o 2007.08.14-15:44:38 - 2007.08.14-15:45:38 (Alerts: 6|23)
o 2007.08.14-15:45:38 - 2007.08.14-15:46:38 (Alerts: 1|13)
o 2007.08.14-15:46:38 - 2007.08.14-15:47:38 (Alerts: 1|9)
o 2007.08.14-15:47:38 - 2007.08.14-15:48:38 (Alerts: 1|6)
o 2007.08.14-15:48:38 - 2007.08.14-15:49:38 (Alerts: 4|5)
o 2007.08.14-15:49:38 - 2007.08.14-15:49:58 (Alerts: 1|9)
LogicalDisk
o LogicalDisk Disk Overwhelmed (Alerts: 1|1)
o LogicalDisk % Free Space (Alerts: 0|0)
o LogicalDisk Avg. Disk sec/Read (Alerts: 3|1)
o LogicalDisk Avg. Disk sec/Write (Alerts: 0|2)

o LogicalDisk % Idle Time (Alerts: 0|0)
o LogicalDisk Disk Transfers/sec (Stats only)
o LogicalDisk Read/Write Ratio (Stats only)
o LogicalDisk Bytes/Read (Alerts: 0|0)
o LogicalDisk Bytes/Write (Alerts: 0|3)
o LogicalDisk Avg. Disk Queue Length (Alerts: 0|1)
o LogicalDisk Current Disk Queue Length (Alerts: 0|0)
o LogicalDisk Disk Bytes/sec (Stats only)
o LogicalDisk Free Megabytes (Alerts: 0|0)
o LogicalDisk Avg. Disk sec/Transfer (Alerts: 2|1)
Memory
o Memory Available MBytes (Alerts: 10| 0)
o Memory Free System Page Table Entries (Alerts: 0|0)
o Memory Pool Non-Paged Bytes (Alerts: 0|0)
o Memory Pool Paged Bytes (Alerts: 0|0)
o Memory Pages/sec (Alerts: 0|0)
o Memory System Cache Resident Bytes (Alerts: 0|0)
o Memory % Committed Bytes In Use (Alerts: 0|0)
o Memory Pages Output/sec (Stats only)
o Memory Transition Pages RePurposed/sec (Stats only)
o Memory Committed Bytes (Stats only)
o Memory Commit Limit (Stats only)

o Memory Pages Input/sec (Alerts: 0|0)
o Memory Free & Zero Page List Bytes (Stats only)
o Memory Pool Paged Resident Bytes (Stats only)
Network Interface
o Network Interface % Network Utilization (Alerts: 0|0)
o Network Interface Output Queue Length (Alerts: 0|0)
o Network Interface % Network Utilization Sent (Alerts: 0|0)
o Network Interface % Network Utilization Received (Alerts: 0|0)
o Network Interface Packets Outbound Errors (Alerts: 0|0)
o Network Interface Bytes Total/sec (Stats only)
o Network Interface Current Bandwidth (Alerts: 0|10)
o Network Interface Packets/sec (Stats only)
o Network Interface Packets Sent/sec (Stats only)
o Network Interface Packets Received/sec (Stats only)
PhysicalDisk
o PhysicalDisk Read Latency Analysis (Alerts: 3|1)
o PhysicalDisk Write Latency Analysis (Alerts: 0|2)
o PhysicalDisk Current Disk Queue Length (Alerts: 0|0)
o PhysicalDisk Avg. Disk Queue Length (Alerts: 0|1)
o PhysicalDisk Disk Bytes/sec (Stats only)
Process
o Process Private Bytes (Alerts: 0|5)

o Process Handle Count (Alerts: 0|78)
o Process Thread Count (Alerts: 0|14)
o Process Working Set (Alerts: 0|6)
o Process % Processor Time (Alerts: 0|0)
o Process Virtual Bytes (Alerts: 0|0)
o Process IO Data Operations/sec (Alerts: 0| 1)
o Process IO Other Operations/sec (Alerts: 0|0)
o Process ID Process (Stats only)
o Process IO Read Operations/sec (Alerts: 0|0)
o Process IO Write Operations/sec (Alerts: 0|0)
o Process % Privileged Time (Alerts: 4|1)
Processor
o Processor % Processor Time (Alerts: 4|4)
o Processor % Privileged Time (Alerts: 8|4)
o Processor % Interrupt Time (Alerts: 0|0)
o Processor % DPC Time (Alerts: 0|0)
o Processor % User Time (Stats only)
o Processor DPC Rate (Stats only)
System
o System Processor Queue Length (Alerts: 0|1)
o System System Calls/sec (Stats only)
TCPv4
o TCPv4 Connection Failures (Alerts: 0|0)
Incomplete analyses
Disclaimer
Back to the top
Tool Parameters:
Name Value
Log Time Range: 2007.08.14-15:40:38 - 2007.08.14-15:50:38
Log(s): C:\Program Files\PAL\PAL\SamplePerfmonLog.blg
AnalysisInterval: 20 second(s)
Threshold File: C:\Program Files\PAL\PAL\SystemOverview.xml
AllCounterStats: $False
NumberOfThreads: 4
IsLowPriority: $False
DisplayReport: True
Script Execution Duration: 00:01:40.0429685
Interval: AUTO
UserVa: 2048
OS: 64-BIT WINDOWS 8
PhysicalMemory: 12
Back to the top
Alerts by
Chronological Order
Description: This section displays all of the alerts in chronological order.
Alerts
An alert is generated if any of the thresholds were broken during
one of the time ranges analyzed. The background of each of the
values represents the highest priority threshold that the value broke.
See each of the counter's respective analysis section for more details
about what the threshold means.
Time Range
2007.08.14-
15:40:38 -
Condition Counter Min Avg Max Hourly Trend
2007.08.14-
15:41:38
More than 100
data IO
operations
\\ZACH-PC\Process(AppSvc32)\IO
(network, 937 937 937 0
Data Operations/sec
disk, or device
IO) per
second
More than
20% of overall \\ZACH-PC\Processor(_Total)\%

82 82 82 0
kernel mode Processor Time
time
More than
20% of overall \\ZACH-PC\Processor(0)\%

82 82 82 0
time
Less than 5
percent of
RAM is
\\ZACH-PC\Memory\Available
available or 79 79 79 0
MBytes
less than 64
MB of RAM is
available
More than
80% \\ZACH-PC\Processor(_Total)\%
82 82 82 0
processor Processor Time
utilization
More than \\ZACH-PC\Processor(0)\% 82 82 82 0

80%
utilization
More than
30%
\\ZACH-PC\Processor(_Total)\%
privileged 44 44 44 0
Privileged Time
(kernel) mode
CPU usage
More than
30%
\\ZACH-PC\Processor(0)\%
Privileged Time
(kernel) mode
CPU usage
Greater than
or equal to 64
KB IO sizes.
Generally, the
larger the IO
size, the more

\\ZACH-PC\LogicalDisk(C:)\Avg.
data can be 178,086 178,086 178,086 0
Disk Bytes/Write
transferred
per second,
but the
response
times are
longer.
Less than 1 \\ZACH-PC\Network Interface(VIA
Gbps Rhine II Fast Ethernet 10,000,000 10,000,000 10,000,000 0
connection Adapter)\Current Bandwidth
2007.08.14-
15:41:38 -
2007.08.14-
15:42:38
Increasing \\ZACH- 8,269,824 8,269,824 8,269,824 567,705,600
trend of more PC\Process(rundll32#1)\Private
than 100 MB Bytes
per hour -
may not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
\\ZACH-
than 100 2,205 2,205 2,205 180
PC\Process(System)\Handle Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 56 56 56 720
PC\Process(ApntEx)\Handle Count
handles per
hour
Increasing
trend of more
\\ZACH-PC\Process(lsass)\Handle
than 100 599 599 599 1,260
Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 321 321 321 720
PC\Process(taskeng)\Handle Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 98 98 98 180
PC\Process(taskmgr)\Handle Count
handles per
hour
Increasing
trend of more \\ZACH-
than 100 PC\Process(svchost#8)\Handle 274 274 274 180
handles per Count
hour
Increasing \\ZACH- 396 396 396 1,800
trend of more PC\Process(svchost#7)\Handle
than 100 Count
handles per
hour
Increasing
handles per Count
hour
Increasing
than 100 PC\Process(rundll32#1)\Handle 307 307 307 23,760
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 224 224 224 180
PC\Process(rundll32)\Handle Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 689 689 689 540
PC\Process(explorer)\Handle Count
handles per
hour
Increasing
trend of more
\\ZACH-PC\Process(dwm)\Handle
than 100 82 82 82 180
Count
handles per
hour
Increasing
trend of more
\\ZACH-PC\Process(mmc)\Handle
than 100 362 362 362 3,060
Count
handles per
hour
Increasing \\ZACH- 17 17 17 180
trend of more PC\Process(SearchIndexer)\Thread
than 100 Count
threads per
hour - may
not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-PC\Process(lsass)\Thread

11 11 11 180
not be Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-

16 16 16 180
not be PC\Process(taskeng)\Thread Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
\\ZACH-
hour - may
PC\Process(svchost#7)\Thread 19 19 19 180
not be
Count
accurate on
counter logs
of less than 1
hour
trend of more PC\Process(rundll32#1)\Thread
than 100 Count
threads per
hour - may
not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-

4 4 4 180
not be PC\Process(rundll32)\Thread Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-PC\Process(dwm)\Thread

4 4 4 180
not be Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-PC\Process(mmc)\Thread

15 15 15 360
not be Count
accurate on
counter logs
of less than 1
hour
Increasing \\ZACH- 13,156,352 13,156,352 13,156,352 569,917,440
trend of more PC\Process(rundll32#1)\Working
than 100 MB Set
per hour -
may not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100 MB
per hour -
\\ZACH-PC\Process(mmc)\Working
may not be 14,532,608 14,532,608 14,532,608 179,896,320
Set
accurate on
counter logs
of less than 1
hour
More than
20% of overall \\ZACH-PC\Processor(_Total)\%

87 87 87 900
time
More than
20% of overall \\ZACH-PC\Processor(0)\%

87 87 87 900
time
Less than 5
percent of
RAM is
available or 107 107 107 5,040
MBytes
less than 64
MB of RAM is
available
More than
87 87 87 900
utilization
More than
80% \\ZACH-PC\Processor(0)\%
87 87 87 900
utilization
More than \\ZACH-PC\Processor(_Total)\% 46 46 46 360
30% Privileged Time

privileged
(kernel) mode
CPU usage
More than
30%
Privileged Time
(kernel) mode
CPU usage
More than 2
ready threads
\\ZACH-PC\System\Processor
are queued for 10 10 10 1,080
Queue Length
each
processor
Greater than
15 ms
physical disk \\ZACH-PC\PhysicalDisk(0 C:)\Avg.

.016 .016 .016 1
READ Disk sec/Read
response
times
Greater than
15 ms logical
disk READ .016 .016 .016 1
Disk sec/Read
response
times
2007.08.14-
15:42:38 -
2007.08.14-
15:43:38
Increasing \\ZACH- 8,429,568 8,429,568 8,429,568 298,229,760
trend of more PC\Process(rundll32#1)\Private
than 100 MB Bytes
per hour -
may not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
\\ZACH-
than 100 319 319 319 180
handles per
hour
Increasing
handles per Count
hour
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 689 689 689 270
handles per
hour
Increasing
trend of more
than 100 360 360 360 1,350
Count
handles per
hour
Increasing
trend of more
than 100
threads per
\\ZACH-
hour - may
PC\Process(rundll32#1)\Thread 8 8 8 450
not be
Count
accurate on
counter logs
of less than 1
hour
Increasing \\ZACH-PC\Process(mmc)\Thread 15 15 15 180

trend of more
than 100
threads per
hour - may
not be Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100 MB
per hour - \\ZACH-
may not be PC\Process(rundll32#1)\Working 13,455,360 13,455,360 13,455,360 311,869,440
accurate on Set
counter logs
of less than 1
hour
Less than 5
percent of
RAM is
available or 172 172 172 8,370
MBytes
less than 64
MB of RAM is
available
More than
20%
privileged 30 30 30 -1,260
Privileged Time
(kernel) mode
CPU usage
More than
20%
privileged 30 30 30 -1,260
Privileged Time
(kernel) mode
CPU usage

2007.08.14-
15:43:38 -
2007.08.14-
15:44:38
Increasing
trend of more
than 100 MB
per hour - \\ZACH-
may not be PC\Process(AppSvc32)\Private 34,701,312 34,701,312 34,701,312 1,519,534,080
accurate on Bytes
counter logs
of less than 1
hour
Increasing
trend of more
than 100 MB
per hour - \\ZACH-
may not be PC\Process(rundll32#1)\Private 10,326,016 10,326,016 10,326,016 312,606,720
accurate on Bytes
counter logs
of less than 1
hour
Increasing
than 100 PC\Process(SearchIndexer)\Handle 635 635 635 120
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 2,206 2,206 2,206 120
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 338 338 338 600
PC\Process(csrss#1)\Handle Count
handles per
hour
Increasing \\ZACH-PC\Process(lsass)\Handle 602 602 602 600

trend of more
than 100
Count
handles per
hour
Increasing
handles per Count
hour
Increasing
handles per Count
hour
Increasing
handles per Count
hour
Increasing
than 100 PC\Process(AppSvc32)\Handle 303 303 303 1,260
handles per Count
hour
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 692 692 692 360
handles per
hour
Increasing \\ZACH- 241 241 241 1,320
trend of more PC\Process(WmiPrvSE)\Handle
than 100 Count
handles per
hour
Increasing
than 100 PC\Process(ccSvcHst)\Handle 689 689 689 240
handles per Count
hour
Increasing
trend of more
\\ZACH-PC\Process(lsm)\Handle
than 100 142 142 142 180
Count
handles per
hour
Increasing
trend of more
than 100 364 364 364 1,140
Count
handles per
hour
Increasing
trend of more
than 100
threads per
\\ZACH-
hour - may
PC\Process(SearchIndexer)\Thread 18 18 18 120
not be
Count
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100
threads per
\\ZACH-
hour - may
PC\Process(rundll32#1)\Thread 7 7 7 240
not be
Count
accurate on
counter logs
of less than 1
hour
Increasing \\ZACH-PC\Process(mmc)\Thread 15 15 15 120
trend of more Count

than 100
threads per
hour - may
not be
accurate on
counter logs
of less than 1
hour
Increasing
trend of more
than 100 MB
per hour - \\ZACH-
may not be PC\Process(AppSvc32)\Working 34,508,800 34,508,800 34,508,800 1,942,241,280
accurate on Set
counter logs
of less than 1
hour
Increasing
trend of more
than 100 MB
per hour - \\ZACH-
may not be PC\Process(rundll32#1)\Working 15,470,592 15,470,592 15,470,592 328,826,880
accurate on Set
counter logs
of less than 1
hour
Less than 5
percent of
RAM is
available or 150 150 150 4,260
MBytes
less than 64
MB of RAM is
available
More than
57 57 57 -1,500
utilization
More than \\ZACH-PC\Processor(0)\% 57 57 57 -1,500
50% Processor Time

processor
utilization
More than
30%
privileged 34 34 34 -600
Privileged Time
(kernel) mode
CPU usage
More than
30%
Privileged Time
(kernel) mode
CPU usage
Greater than
25 ms

.039 .039 .039 2
READ Disk sec/Read
response
times
Greater than
15 ms

.017 .017 .017 0
WRITE Disk sec/Write
response
times
Greater than
25 ms logical
disk READ .039 .039 .039 2
Disk sec/Read
response
times
Greater than
15 ms logical
disk WRITE .017 .017 .017 0
Disk sec/Write
response
times
Greater than \\ZACH-PC\LogicalDisk(C:)\Avg. 240,917 240,917 240,917 3,769,860
or equal to 64 Disk Bytes/Write
KB IO sizes.
Generally, the
larger the IO
size, the more
data can be
transferred
per second,
but the
response
times are
longer.
More than 2
IOs are \\ZACH-PC\LogicalDisk(C:)\Avg.

3 3 3 180
waiting on the Disk Queue Length
logical disk
More than 2
I/O's are \\ZACH-PC\PhysicalDisk(0 C:)\Avg.

3 3 3 180
waiting on the Disk Queue Length
physical disk
Greater than
25 ms logical \\ZACH-PC\LogicalDisk(C:)\Avg.
.037 .037 .037 2
disk response Disk sec/Transfer
times
2007.08.14-
15:44:38 -
2007.08.14-
15:45:38
Increasing
trend of more
\\ZACH-
than 100 341 341 341 585
handles per
hour
Increasing
trend of more
\\ZACH-PC\Process(csrss)\Handle
than 100 572 572 572 135
Count
handles per
hour
Increasing
trend of more
than 100 597 597 597 225
Count
handles per
hour
Increasing
trend of more
\\ZACH-PC\Process(ccApp)\Handle
than 100 535 535 535 225
Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 123 123 123 495
PC\Process(audiodg)\Handle Count
handles per
hour
Increasing
handles per Count
hour
Increasing
handles per Count
hour
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 690 690 690 180
handles per
hour
trend of more PC\Process(WmiPrvSE)\Handle
than 100 Count

handles per
hour
Increasing
handles per Count
hour
Increasing
trend of more
than 100 84 84 84 135
Count
handles per
hour
Increasing
trend of more
than 100 145 145 145 270
Count
handles per
hour
Increasing
trend of more
than 100 359 359 359 630
Count
handles per
hour
Increasing
trend of more
than 100 MB
per hour -
\\ZACH-
may not be 3,403,776 3,403,776 3,403,776 115,752,960
PC\Process(ccApp)\Working Set
accurate on
counter logs
of less than 1
hour
More than
10% of overall \\ZACH-PC\Process(mmc)\%

34 34 34 1,440
kernel mode Privileged Time
time
Less than 5 \\ZACH-PC\Memory\Available 127 127 127 2,160
percent of MBytes
RAM is
available or
less than 64
MB of RAM is
available
More than
60 60 60 -990
utilization
More than
50% \\ZACH-PC\Processor(0)\%
60 60 60 -990
utilization
More than
30%
Privileged Time
(kernel) mode
CPU usage
More than
30%
Privileged Time
(kernel) mode
CPU usage
Disk
overwhelmed:
Avg Disk
Queue Length
is greater than
1 and
response
\\ZACH-PC\LogicalDisk(C:)\Disk
times are 2 2 2 90
Overwhelmed
greater than
25 ms for IO
sizes of 64 KB
or smaller or
35 ms for IO
sizes greater
than 64 KB.
Greater than \\ZACH-PC\PhysicalDisk(0 C:)\Avg. .026 .026 .026 1

25 ms
physical disk
READ Disk sec/Read
response
times
Greater than
15 ms

.016 .016 .016 0
WRITE Disk sec/Write
response
times
Greater than
25 ms logical
disk READ .026 .026 .026 1
Disk sec/Read
response
times
Greater than
15 ms logical
disk WRITE .016 .016 .016 0
Disk sec/Write
response
times
Greater than
or equal to 64
KB IO sizes.
Generally, the
larger the IO
size, the more

data can be 248,858 248,858 248,858 3,184,740
Disk Bytes/Write
transferred
per second,
but the
response
times are
longer.
Greater than \\ZACH-PC\LogicalDisk(C:)\Avg. .025 .025 .025 1

15 ms logical
times
2007.08.14-
15:45:38 -
2007.08.14-
15:46:38
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 2,208 2,208 2,208 144
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 332 332 332 144
handles per
hour
Increasing
trend of more
than 100 575 575 575 216
Count
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 320 320 320 108
handles per
hour
Increasing
handles per Count
hour

trend of more
than 100 PC\Process(svchost#3)\Handle
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 690 690 690 144
handles per
hour
Increasing
trend of more
than 100 360 360 360 540
Count
handles per
hour
Less than 5
percent of
RAM is
available or 212 212 212 4,788
MBytes
less than 64
MB of RAM is
available
More than
20%
Privileged Time
(kernel) mode
CPU usage
More than
20%
Privileged Time
(kernel) mode
CPU usage
Disk \\ZACH-PC\LogicalDisk(C:)\Disk 1 1 1 36
approaching Overwhelmed
overwhelmed:
Avg Disk
Queue Length
is greater than
1 and
response
times are
greater than
15 ms
2007.08.14-
15:46:38 -
2007.08.14-
15:47:38
Increasing
trend of more
than 100 MB
per hour -
\\ZACH-
may not be 57,470,976 57,470,976 57,470,976 619,560,960
PC\Process(explorer)\Private Bytes
accurate on
counter logs
of less than 1
hour
Increasing
than 100 PC\Process(SearchIndexer)\Handle 676 676 676 1,290
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 344 344 344 480
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 322 322 322 150
handles per
hour
than 100 Count

handles per
hour
Increasing
trend of more
\\ZACH-
than 100 748 748 748 1,860
handles per
hour
Increasing
trend of more
than 100 360 360 360 450
Count
handles per
hour
Increasing
trend of more
than 100
threads per
hour - may \\ZACH-

37 37 37 210
not be PC\Process(explorer)\Thread Count
accurate on
counter logs
of less than 1
hour
Less than 5
percent of
RAM is
available or 191 191 191 3,360
MBytes
less than 64
MB of RAM is
available
2007.08.14-
15:47:38 -
2007.08.14-
15:48:38
trend of more PC\Process(SearchIndexer)\Handle

than 100
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 341 341 341 334
handles per
hour
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 690 690 690 103
handles per
hour
Increasing
trend of more
than 100 362 362 362 437
Count
handles per
hour
Less than 5
percent of
RAM is
available or 191 191 191 2,880
MBytes
less than 64
MB of RAM is
available
2007.08.14-
15:48:38 -
2007.08.14-
15:49:38

trend of more
than 100 PC\Process(SearchIndexer)\Handle
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 342 342 342 315
handles per
hour
Increasing
handles per Count
hour
Increasing
trend of more
than 100 360 360 360 338
Count
handles per
hour
Less than 5
percent of
RAM is
available or 195 195 195 2,610
MBytes
less than 64
MB of RAM is
available
Greater than
25 ms

.048 .048 .048 1
READ Disk sec/Read
response
times
Greater than
25 ms logical
disk READ .048 .048 .048 1
Disk sec/Read
response
times
Less than 1 \\ZACH-PC\Network Interface(VIA 10,000,000 10,000,000 10,000,000 0

Gbps Rhine II Fast Ethernet
Greater than
25 ms logical \\ZACH-PC\LogicalDisk(C:)\Avg.
.035 .035 .035 1
times
2007.08.14-
15:49:38 -
2007.08.14-
15:49:58
Increasing
handles per Count
hour
Increasing
trend of more
\\ZACH-
than 100 344 344 344 320
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 326 326 326 180
handles per
hour
Increasing
trend of more
\\ZACH-
than 100 124 124 124 240
PC\Process(audiodg)\Handle Count
handles per
hour
Increasing
handles per Count
hour
than 100 Count

handles per
hour
Increasing
handles per Count
hour
Increasing
trend of more
than 100 360 360 360 300
Count
handles per
hour
Less than 5
percent of
RAM is
available or 192 192 192 2,260
MBytes
less than 64
MB of RAM is
available
LogicalDisk
LogicalDisk Disk Overwhelmed

Description: This analysis is an attempt to determine if a logical disk is overwhelmed by making a complicated
formula into a simple good (green), warning (yellow), or critical (red) status.
This analysis takes into consideration the workload of the disk queue, the size of the IO, and the response times to
compute a good or bad condition in regards to if the disk is overwhelmed or not. If Avg Disk Queue Length is
greater than 1 and response times are greater than 25 ms for IO sizes of 64 KB or smaller or 35 ms for IO sizes
greater than 64 KB, then the disk is overwhelmed. The reasoning is that the disk has a nearly constant IO demand
(Avg Disk Queue Length is a calculation of Transfers/sec and sec/Transfer) and the response times are higher
than what it would take a 7200 RPM disk drive to return the appropriate IO sizes. This analysis requires
\LogicalDisk(*)\Avg. Disk Queue Length, \LogicalDisk(*)\Avg. Disk Bytes/Transfer, and

\LogicalDisk(*)\Avg. Disk sec/Transfer counters to be in the counter log. Instances of _Total are ignored
because they are aggregates of all counter instances.
If the PAL generated counter of \LogicalDisk(*)\Disk Overwhelmed has a value of 1 (Warning), then it means
that the Avg Disk Queue Length is greater than 1 and the response times (Avg. Disk sec/Transfer) are greater
than 15 ms. If this counter has a value of 2 (Critical), then it means thatAvg Disk Queue Length is greater than
1 and the response times are greater than 25 ms for IO of 64 KB or smaller and 35 ms for IO sizes greater than 64
KB.
Overall Counter Instance Statistics
10% of 20% of 30% of
\LogicalDisk(*)\Disk Hourly Std
Condition Min Avg Max Outliers Outliers Outliers
Overwhelmed Trend Deviation
Removed Removed Removed
Disk
overwhelmed:
Avg Disk
Queue Length
is greater than
1 and response
times are
ZACH-PC/C: 0 .27 2 0 .65 .1 0 0
greater than 25
ms for IO sizes
of 64 KB or
smaller or 35
ms for IO sizes
greater than 64
KB.
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
Alerts
Time Range
2007.08.14-
15:44:38 - Hourly
Condition Counter Min Avg Max
2007.08.14- Trend
15:45:38
Disk overwhelmed: Avg Disk Queue
Length is greater than 1 and response \\ZACH-
times are greater than 25 ms for IO PC\LogicalDisk(C:)\Disk 2 2 2 90
sizes of 64 KB or smaller or 35 ms for Overwhelmed
IO sizes greater than 64 KB.
2007.08.14-
15:45:38 - Hourly
2007.08.14- Trend
15:46:38
Disk approaching overwhelmed: Avg
\\ZACH-
Disk Queue Length is greater than 1
PC\LogicalDisk(C:)\Disk 1 1 1 36
and response times are greater than
Overwhelmed
15 ms
Back to the top
LogicalDisk % Free Space

Description: % Free Space is the percentage of total usable space on the selected logical disk drive that was free.
Low to no free disk space can cause severe disk performance problems.This analysis checks for less than 10% free
disk space (Warning alert) and less than 5% free disk space (Critical alert).
10% of 20% of 30% of
\LogicalDisk(*)\% Hourly Std
Free Space Trend Deviation
OK ZACH-PC/C: 75 75 75 0 0 75 75 75
Alerts
No Alerts Found
Back to the top
LogicalDisk Avg. Disk sec/Read

Description: Avg. Disk sec/Read is the average time, in seconds, of a read of data to the disk. This analysis
determines if any of the logical disks are responding slowly.
The following thresholds are based on the access times of 5400 RPM disk drives. Hard drives that are faster than
5400 RPM such as 7200 RPM and solid state drives should have faster response times. Occasional spikes above 25
ms are normal.
If the response times are less than 0.015 (15 milliseconds), then the disk subsystem is keeping up with
demand.
If the response times are greater than 0.025 (25 milliseconds), then the disk subsystem is likely overwhelmed.
Reference:
Ruling Out Disk-Bound Problems
http://technet.microsoft.com/en-us/library/5bcdd349-dcc6-43eb-9dc3-54175f7061ad.aspx
10% of 20% of 30% of
\LogicalDisk(*)\Avg. Hourly Std
Disk sec/Read Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
Greater ZACH-PC/C: .005 .018 .048 0 .015 .014 .011 .009
than 25 ms
logical disk
READ
response
times
Alerts
Time Range
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
Greater than 15 ms \\ZACH-
logical disk READ PC\LogicalDisk(C:)\Avg. Disk .016 .016 .016 1
response times sec/Read
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
2007.08.14-15:48:38 - Hourly
2007.08.14-15:49:38 Trend
Back to the top
LogicalDisk Avg. Disk sec/Write

Description: Avg. Disk sec/Write is the average time, in seconds, of a read of data to the disk. This analysis
determines if any of the logical disks are responding slowly.
The following thresholds are based on the access times of 5400 RPM disk drives. Hard drives that are faster than
5400 RPM such as 7200 RPM and solid state drives should have faster response times. Occasional spikes above 25
ms are normal.
If the response times are less than 0.015 (15 milliseconds), then the disk subsystem is keeping up with
demand.
Reference:
10% of 20% of 30% of
Disk sec/Write Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
Greater than
15 ms
logical disk
ZACH-PC/C: 0 .006 .017 0 .007 .005 .003 .002
WRITE
response
times
Alerts
Time Range
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
logical disk WRITE PC\LogicalDisk(C:)\Avg. Disk .017 .017 .017 0
response times sec/Write
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend

logical disk WRITE PC\LogicalDisk(C:)\Avg. Disk .016 .016 .016 0
response times sec/Write
Back to the top
LogicalDisk % Idle Time

Description: % Idle Time reports the percentage of time during the sample interval that the disk was idle.
This analysis checks for a % Idle Time of less than 10. Zero (0) indicates that the disk contstanly has at least 1
outstanding I/O in the queue.
Reference:

10% of 20% of 30% of
\LogicalDisk(*)\% Hourly Std
Idle Time Trend Deviation
ZACH-
OK 100 100 100 0 0 100 100 100
PC/HarddiskVolume1
OK ZACH-PC/C: 53 77 99 280 17 75 72 70
Alerts
No Alerts Found
Back to the top
LogicalDisk Disk Transfers/sec

Description: Disk Transfers/sec is the rate of read and write operations on the disk and is the number of IO
operations per second (IOPS) according to the operating system. If hardware RAID is used, then keep in mind that
the hardware IOPS will be different. For example, hardware RAID1 (mirror set) will have hardware IOPS of (1 x
Read) + (2 x Write).
10% of 20% of 30% of
Transfers/sec Trend Deviation
No ZACH-
0 0 0 0 0 0 0 0
Thresholds PC/HarddiskVolume1
No
ZACH-PC/C: 5 43 83 -380 26 38 34 30
Thresholds
Alerts
No Alerts Found
Back to the top
LogicalDisk Read/Write Ratio

Description: This analysis shows the ratio of reads to writes for each logical disk. For example, a value of 25
means 25 percent of all of the I/O per second is read I/O and 75 percent is write I/O.
10% of 20% of 30% of
\LogicalDisk(*)\Read Hourly Std
Write Ratio Trend Deviation
No
ZACH-PC/C: 0 72 97 -260 32 69 67 64
Thresholds
No ZACH-
0 0 0 0 0 0 0 0
10% of 20% of 30% of
Reads/sec Trend Deviation
No ZACH-
0 0 0 0 0 0 0 0
No
ZACH-PC/C: 1 38 79 -380 26 33 29 25
Thresholds
10% of 20% of 30% of

Writes/sec Trend Deviation
No ZACH-
0 0 0 0 0 0 0 0
No
ZACH-PC/C: 2 5 6 0 1 5 4 4
Thresholds
Alerts
No Alerts Found
Back to the top
LogicalDisk Bytes/Read
Description: This analysis shows the size of logical disk reads per second. The size of an I/O request packets
(IRP) can have a direct affect on the average response times from the disk. This analysis checks for I/O request
sizes of 64 KB or larger. Correlate this analysis with the Avg. Disk Sec/Read and Avg. Disk Sec/Write analyses.
References:
How to Speak SAN-ish

10% of 20% of 30% of
Disk Bytes/Read Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
-
OK ZACH-PC/C: 7,358 19,286 42,033 11,010 16,758 15,275 13,541
99,340
Alerts
No Alerts Found
Back to the top
LogicalDisk Bytes/Write
Description: This analysis shows the size of logical disk writes per second. The size of an I/O request packets
(IRP) can have a direct affect on the average response times from the disk. This analysis checks for I/O request
sizes of 64 KB or larger. Correlate this analysis with the Avg. Disk Sec/Read and Avg. Disk Sec/Write analyses.
Reference:

10% of 20% of 30% of
Disk Bytes/Write Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
Greater ZACH-PC/C: 7,803 72,733 248,858 - 105,035 53,163 29,694 8,495
than or 3,391,700
equal to 64
KB IO
sizes.
Generally,
the larger
the IO size,
the more
data can be
transferred
per second,
but the
response
times are
longer.
Alerts
Time Range
2007.08.14-
15:40:38 - Hourly
2007.08.14- Trend
15:41:38
Greater than or equal to
64 KB IO sizes.
Generally, the larger the \\ZACH-
IO size, the more data PC\LogicalDisk(C:)\Avg. 178,086 178,086 178,086 0
can be transferred per Disk Bytes/Write
second, but the response
times are longer.
2007.08.14-
15:43:38 - Hourly
2007.08.14- Trend
15:44:38
Greater than or equal to \\ZACH- 240,917 240,917 240,917 3,769,860
64 KB IO sizes. PC\LogicalDisk(C:)\Avg.
Generally, the larger the Disk Bytes/Write
IO size, the more data
can be transferred per

times are longer.
2007.08.14-
15:44:38 - Hourly
2007.08.14- Trend
15:45:38
Greater than or equal to
64 KB IO sizes.
Generally, the larger the \\ZACH-
IO size, the more data PC\LogicalDisk(C:)\Avg. 248,858 248,858 248,858 3,184,740
can be transferred per Disk Bytes/Write
times are longer.
Back to the top
LogicalDisk Avg. Disk Queue Length

Description: Avg. Disk Queue Length is the average number of both read and write requests that were queued or
"in-flight" for the selected disk during the sample interval.
This counter typically has a threshold of number of spindles + 2. Due to disk virtualization, it is difficult to
determine the true number of physical spindles behind a logical disk or LUN, therefore this threshold is not a direct
indicator of a disk performance problem.
This analysis uses a Warning alert for an average disk queue length greater than 2, but correlate this value with
disk latency (Avg. Disk sec/Transfer).
References:

10% of 20% of 30% of
Disk Queue Length Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
More than 2 ZACH-PC/C: 0 1 3 0 1 1 0 0
IOs are
waiting on
the logical
disk
Alerts
Time Range
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
More than 2 IOs are

waiting on the logical 3 3 3 180
Disk Queue Length
disk
Back to the top
LogicalDisk Current Disk Queue Length

Description: Current Disk Queue Length is the number of requests outstanding on the disk at the time the
performance data is collected. It also includes requests in service at the time of the collection. This is a
instantaneous snapshot, not an average over the time interval. Multi-spindle disk devices can have multiple
requests that are active at one time, but other concurrent requests are awaiting service. This counter might reflect
a transitory high or low queue length, but if there is a sustained load on the disk drive, it is likely that this will be
consistently high. Requests experience delays proportional to the length of this queue minus the number of
spindles on the disks.
This analysis checks if the number of I/O request packets (IRPs) in the disk queue are at 32 or higher. Many SAN
vendors use 32 as a default setting for the Host Bus Adapter (HBA) which interfaces into the fibre channel network
to connect to one or more SANs. If the queue depth (simultaneous in-flight I/O) is reached frequently, then the
queue depth might need to be increased.
Reference:

10% of 20% of 30% of
\LogicalDisk(*)\Current Hourly Std
OK ZACH-PC/HarddiskVolume1 0 0 0 0 0 0 0 0
OK ZACH-PC/C: 1 1 2 -60 0 1 1 1
Alerts
No Alerts Found
Back to the top
LogicalDisk Disk Bytes/sec

Description: Disk Bytes/sec is the rate bytes are transferred to or from the disk during write or read operations. A
mirror pair (RAID1) 7200 RPM disk drives can deliver roughly 20 MB per second throughput.
Condition Min Avg Max 10% of 20% of 30% of
Outliers Outliers Outliers
Bytes/sec Trend Deviation
No ZACH-
0 0 0 0 0 0 0 0
No -
ZACH-PC/C: 43,963 1,143,913 2,453,652 937,980 998,386 819,812 655,214
Thresholds 25,322,080
Alerts
No Alerts Found
Back to the top
LogicalDisk Free Megabytes

Description: Free Megabytes displays the unallocated space, in megabytes, on the disk drive in megabytes. One
megabyte is equal to 1,048,576 bytes.

10% of 20% of 30% of
\LogicalDisk(*)\Free Hourly Std
Megabytes Trend Deviation
OK ZACH-PC/C: 54,487 54,488 54,488 -20 1 54,488 54,487 54,487
Alerts
No Alerts Found
Back to the top
LogicalDisk Avg. Disk sec/Transfer

Description: Avg. Disk sec/Transfer is the time, in seconds, of the average disk transfer.

10% of 20% of 30% of
Disk sec/Transfer Trend Deviation
ZACH-
OK 0 0 0 0 0 0 0 0
PC/HarddiskVolume1
Greater
than 25 ms
logical disk ZACH-PC/C: 0 0 0 0 0 0 0 0
response
times
Alerts
Time Range
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
Greater than 25 ms
logical disk response .037 .037 .037 2
Disk sec/Transfer
times
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
Greater than 15 ms
Disk sec/Transfer
times
2007.08.14-15:48:38 - Hourly
2007.08.14-15:49:38 Trend
Greater than 25 ms
Disk sec/Transfer
times
Back to the top
Memory
Memory Available MBytes

Description: Available MBytes is the amount of physical RAM, in megabytes, immediately available for allocation
to a process or for system use. It is equal to the sum of memory assigned to the standby (cached), free and zero
page lists. If this counter is low, then the computer is running low on physical memory (RAM).
This analysis will alert a Warning if this counter's value is less than 10% of the physical memory installed and will
alert a critical if this counter's value is less than 100 MB.
References:
PerfGuide: Low Available RAM
Chapter 8: Physical Memory of the Windows Performance Analysis Field Guide by Clint Huffman
10% of 20% of 30% of
\Memory\Available Hourly Std
MBytes Trend Deviation
Less than 5 ZACH-PC 79 165 212 2,260 43 160 156 151
percent of
RAM is
available or
less than 64
MB of RAM is
available
Alerts
Time Range
2007.08.14-15:40:38 - Hourly
2007.08.14-15:41:38 Trend
Less than 5 percent of RAM is \\ZACH-
available or less than 64 MB of PC\Memory\Available 79 79 79 0
RAM is available MBytes
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
available or less than 64 MB of PC\Memory\Available 107 107 107 5,040
2007.08.14-15:42:38 - Hourly
2007.08.14-15:43:38 Trend
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
2007.08.14-15:45:38 - Hourly
2007.08.14-15:46:38 Trend

2007.08.14-15:46:38 - Hourly
2007.08.14-15:47:38 Trend
2007.08.14-15:47:38 - Hourly
2007.08.14-15:48:38 Trend
2007.08.14-15:48:38 - Hourly
2007.08.14-15:49:38 Trend
2007.08.14-15:49:38 - Hourly
2007.08.14-15:49:58 Trend
Back to the top
Memory Free System Page Table Entries

Description: Free System Page Table Entries is the number of page table entries not currently in used by the
system. This analysis determines if the system is running out of free system page table entries (PTEs) by checking
if there is less than 20,000 free PTE's as a Warning and critical if there is less than 8,000 free PTEs. Lack of enough
PTEs can result in system wide hangs. Also note that the /3GB switch will lower the amount of free PTEs
significantly.
The Performance Monitor Memory\Free System Page Table Entries counter is inaccurate on installations of Windows
Server 2003 without Service Pack 1. For more information about this counter, see Microsoft Knowledge Base article
894067. The Performance tool does not accurately show the available Free System Page Table entries in Windows
Server 2003 http://go.microsoft.com/fwlink/?linkid=3052&kbid=894067
Fix for Win2003 SP1 systems with /3GB and low on PTE's: If the system is low on PTE's, running Windows
2003, and using /3GB switch, then consider using the /USERVA switch to give back some of the memory to the
kernel. Note, this only works for Free System PTE issues.
For more information on the USERVA switch, go to: How to use the /userva switch with the /3GB switch to tune the
User-mode space to a value between 2 GB and 3 GB
Reference:
Ruling Out Memory-Bound Problems
Microsoft Knowledge Base article 894067 The Performance tool does not accurately show the available Free System
Page Table entries in Windows Server 2003
How to use the /userva switch with the /3GB switch to tune the User-mode space to a value between 2 GB and 3
GB
How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP
http://support.microsoft.com/kb/889654
\Memory\Free 10% of 20% of 30% of
Hourly Std
Condition System Page Min Avg Max Outliers Outliers Outliers
Trend Deviation
Table Entries Removed Removed Removed
-
OK ZACH-PC 355,608 359,300 362,456 2,136 358,984 358,776 358,515
31,880
Alerts
No Alerts Found
Back to the top
Memory Pool Non-Paged Bytes

Description: Pool Nonpaged Bytes is the size, in bytes, of the nonpaged pool, an area of system memory (physical
memory used by the operating system) for objects that cannot be written to disk, but must remain in physical
memory as long as they are allocated.
This analysis checks to see if the system is becoming close to the maximum Pool Nonpaged memory size. It does
this by estimating the pool sizes taking into consideration /3GB, physical memory size, and 32-bit/64-bit, then
determining if the value is higher than 60% of the estimated pool size. If the system becomes close to the
maximum size, then the system could experience system wide hangs. Checks both 32-bit and 64-bit memory
pools. Warning: The /3GB switch option in the boot.ini file significantly reduces the size of this memory pool.
If the system is low on Paged Pool or non-Paged pool memory, then it is recommended to open a support case with
Microsoft to address this. Alternatively, you can use a free and public tool called Poolmon.exe to see what DLL's are
using kernel memory (see the article below). Most kernel memory leaks can be tracked back to a usermode
process. To identify which user mode process is responsible, reboot the system (so you start off with a clean
system), start a performance monitor log intending to run for a week or more capturing the Memory and Process
objects, then analyze the perfmon log looking for memory leaks and/or handle leaks in one or more of the
processes. In any case, migrating to a 64-bit version of Windows should alleviate this issue.
References
How to Use Memory Pool Monitor (Poolmon.exe) to Troubleshoot Kernel Mode Memory Leaks
http://technet.microsoft.com/en-us/library/7a44b064-8872-4edf-aac7-36b2a17f662a.aspx
\Memory\Pool 10% of 20% of 30% of
Hourly Std
Condition Nonpaged Min Avg Max Outliers Outliers Outliers
Trend Deviation
Bytes Removed Removed Removed
OK ZACH-PC 28,422,144 28,673,117 28,946,432 7,454,720 172,870 28,645,786 28,626,034 28,604,928
Alerts
No Alerts Found
Back to the top
Memory Pool Paged Bytes

Description: This analysis checks to see if the system is becoming close to the maximum Pool paged memory
size. Pool Paged Bytes is the size, in bytes, of the paged pool, an area of system memory (physical memory used
by the operating system) for objects that can be written to disk when they are not being used.
This analysis checks to see if the system is becoming close to the maximum Pool Paged memory size. It does this
by estimating the pool sizes taking into consideration /3GB, physical memory size, and 32-bit/64-bit, then
determining if the value is higher than 60% of the estimated pool size. If the system becomes close to the
maximum size, then the system could experience system wide hangs. Checks both 32-bit and 64-bit memory
pools. Warning: The /3GB switch option in the boot.ini file significantly reduces the size of this memory pool.
If the system is low on Paged Pool or non-Paged pool memory, then it is recommended to open a support case with
Microsoft to address this. Alternatively, you can use a free and public tool called Poolmon.exe to see what DLL's are
using kernel memory (see the article below). Most kernel memory leaks can be tracked back to a usermode
process. To identify which user mode process is responsible, reboot the system (so you start off with a clean
system), start a performance monitor log intending to run for a week or more capturing the Memory and Process
objects, then analyze the perfmon log looking for memory leaks and/or handle leaks in one or more of the
processes. In any case, migrating to a 64-bit version of Windows should alleviate this issue.
Reference:
How to Use Memory Pool Monitor (Poolmon.exe) to Troubleshoot Kernel Mode Memory Leaks
http://technet.microsoft.com/en-us/library/7a44b064-8872-4edf-aac7-36b2a17f662a.aspx
10% of 20% of 30% of
\Memory\Pool Hourly Std
Paged Bytes Trend Deviation
OK ZACH-PC 75,550,720 76,730,740 77,512,704 1,146,880 720,215 76,652,544 76,580,636 76,491,264
Alerts
No Alerts Found
Back to the top
Memory Pages/sec
Description: This analysis checks Pages/sec (hard page faults) of more than 1000. Keep in mind that all hard
page faults are counted in the pages/sec counter which may or may not be related to the page file(s). According to
Wikipedia, memory-mapped files are a segment of virtual memory which has been assigned a direct byte-for-byte
correlation with some portion of a file or file-like resource. This resource is typically a file that is physically present
on-disk, but can also be a device, shared memory object, or other resource that the operating system can
reference through a file descriptor. In other words, applications like Microsoft Word and Microsoft PowerPoint will
not load entire documents into RAM. Instead, they memory map the file, so that when you navigate through the
document, it loads portions of the document as needed. The act of loading portions of the document from disk to
RAM as a memory mapped file causes a hard page fault which is counted in the pages/sec counter. See the article
The Case of the Phantom Hard Page Faults. To determine if the hard page faults are actually hitting the page file,
use Process Monitor with Advanced Ouput enabled to see how often the page file(s) are hit.
Pages/sec is the rate at which pages are read from or written to disk to resolve hard page faults. It is the sum of
Memory\Pages Input/sec and Memory\Pages Output/sec. It is counted in numbers of pages, so it can be compared
to other counts of pages, such as Memory\Page Faults/sec, without conversion. It includes pages retrieved to
satisfy faults in the file system cache (usually requested by applications) non-cached mapped memory files.
This counter should always be below 1000, therefore this analysis checks for values above 1000. Use this analysis
in correlation with Available Memory Analysis and Memory Leak Analysis. If all are throwing alerts at the same
time, then this may indicate the system is running out of memory and the suspected processes involved and follow
analysis steps mentioned in the Memory Leak analysis.
Reference
The Case of the Phantom Hard Page Faults

10% of 20% of 30% of
Hourly Std
Condition \Memory\Pages/sec Min Avg Max Outliers Outliers Outliers
Trend Deviation
OK ZACH-PC 3 233 571 -6,140 190 196 173 146
Alerts
No Alerts Found
Back to the top
Memory System Cache Resident Bytes

Description: System Cache Resident Bytes is the size, in bytes, of the pageable operating system code in the file
system cache. This value includes only current physical pages and does not include any virtual memory pages not
currently resident. It does equal the System Cache value shown in Task Manager. As a result, this value may be
smaller than the actual amount of virtual memory in use by the file system cache. This value is a component of
Memory\\System Code Resident Bytes which represents all pageable operating system code that is currently in
physical memory. This counter displays the last observed value only; it is not an average.
This analysis checks if System Cache Resident Bytes is consuming more than 25 percent of RAM. Under load, a
server might use the System Cache in order to cache I/O activity such as disk. Use in correlation with Process IO
Data Operations/sec and Process IO Other Operations/sec Analyses.
References
File Cache Performance and Tuning http://technet.microsoft.com/en-us/library/bb742613.aspx

\Memory\System 10% of 20% of 30% of
Std
Condition Cache Resident Min Avg Max Hourly Trend Outliers Outliers Outliers
Deviation
Bytes Removed Removed Removed
-
OK ZACH-PC 8,445,952 28,727,855 100,474,880 28,665,992 21,553,152 18,209,906 14,061,568
1,751,941,120
Alerts
No Alerts Found
Back to the top
Memory % Committed Bytes In Use

Description: % Committed Bytes In Use is the ratio of Memory\Committed Bytes to the Memory\Commit Limit.
Committed memory is the physical memory (RAM plus all of the page files) in use for which space has been
reserved in the paging file should it need to be written to disk. The commit limit is the sum of physical RAM and the
size of all of the paging files. If the paging file is enlarged, the commit limit increases, and the ratio is reduced).
This counter displays the current percentage value only; it is not an average.
This analysis checks if the amount of Commited memory is becoming close to the Commit Limit (RAM plus total
page file sizes), If so, then identify if you have a memory leak. If no memory leak is identified, then consider
adding more physical RAM or increase the size of your page files..
The following article covers how to identify and troubleshoot system committed memory problems:
PerfGuide: Out of System Committed Memory

\Memory\% 10% of 20% of 30% of
Hourly Std
Condition Committed Min Avg Max Outliers Outliers Outliers
Trend Deviation
Bytes In Use Removed Removed Removed
OK ZACH-PC 37 40 47 0 3 39 38 38
Alerts
No Alerts Found
Back to the top
Memory Pages Output/sec

Description: Pages Output/sec is the rate at which pages are written to disk to free up space in physical memory.
Pages are written back to disk only if they are changed in physical memory, so they are likely to hold data, not
code. A high rate of pages output might indicate a memory shortage. Windows writes more pages back to disk to
free up space when physical memory is in short supply. This counter shows the number of pages, and can be
compared to other counts of pages, without conversion.

10% of 20% of 30% of
\Memory\Pages Hourly Std
Output/sec Trend Deviation
No
ZACH-PC 219 279 364 -4,400 76 236 236 236
Thresholds
Alerts
No Alerts Found
Back to the top
Memory Transition Pages RePurposed/sec

Description: Transition Pages RePurposed is the rate at which the number of transition cache pages were reused
for a different purpose. These pages would have otherwise remained in the page cache to provide a (fast) soft fault
(instead of retrieving it from backing store) in the event the page was accessed in the future. Note these pages can
contain private or sharable memory.

\Memory\Transition 10% of 20% of 30% of
Hourly Std
Condition Pages Min Avg Max Outliers Outliers Outliers
Trend Deviation
RePurposed/sec Removed Removed Removed
No
ZACH-PC 0 154 415 -7,700 188 121 82 31
Thresholds
Alerts
No Alerts Found
Back to the top
Memory Committed Bytes

Description: Committed Bytes is the amount of committed virtual memory, in bytes. Committed memory is the
memory which has space reserved in RAM and on the disk paging file(s). There can be one or more paging files on
each physical drive. This counter displays the last observed value only; it is not an average.
This analysis checks if the amount of total committed memory (Commit Charge) exceeds the amount of physical
RAM installed. If so, the page file needs to be used to help store the committed memory and performance might
degrade. To alleviate this, try to identify which process is consuming the most committed memory by looking at
process Private Bytes and looking for a potential memory leak (the consumption of memory over a long period of
time without releasing it). Adding more RAM to the computer will help alleviate this issue, but if it is a memory
leak, then the problem might return.

10% of 20% of 30% of
\Memory\Committed Hourly Std
Bytes Trend Deviation
No
ZACH-PC 564,080,640 597,620,177 708,648,960 124,682,240 43,100,148 586,517,299 580,846,023 577,333,760
Thresholds
Alerts
No Alerts Found
Back to the top
Memory Commit Limit

Description: Commit Limit is the amount of virtual memory that can be committed without having to extend the
paging file(s). It is measured in bytes. Committed memory is the physical memory which has space reserved on
the disk paging files. There can be one paging file on each logical drive). If the paging file(s) are be expanded, this
limit increases accordingly. This counter displays the last observed value only; it is not an average.
10% of 20% of 30% of
\Memory\Commit Hourly Std
Limit Trend Deviation
No
ZACH-PC 1,512,824,832 1,512,824,832 1,512,824,832 0 0 1,512,824,832 1,512,824,832 1,512,824,832
Thresholds
Alerts
No Alerts Found
Back to the top
Memory Pages Input/sec

Description: Pages Input/sec is the rate at which pages are read from disk to resolve hard page faults. Hard page
faults occur when a process refers to a page in virtual memory that is not in its working set or elsewhere in
physical memory, and must be retrieved from disk. When a page is faulted, the system tries to read multiple
contiguous pages into memory to maximize the benefit of the read operation. Compare the value of
Memory\\Pages Input/sec to the value of Memory\\Page Reads/sec to determine the average number of pages
read into memory during each read operation. This analysis checks for more than 1000 page inputs per second. If
there is a lot of page inputs per second, then it could be normal file I/O reading from the disk as memory mapped
files, or it could be reading from the page file. This counter is not an indicator of a lack of memory condition unless
there is a lot of memory pressure corresponding to this alert.

10% of 20% of 30% of
\Memory\Pages Hourly Std
Input/sec Trend Deviation
OK ZACH-PC 3 150 377 -1,760 124 124 97 82
Alerts
No Alerts Found
Back to the top
Memory Free & Zero Page List Bytes

Description: Free & Zero Page List Bytes is the amount of physical memory, in bytes, that is assigned to the free
and zero page lists. This memory does not contain cached data. It is immediately available for allocation to a
process or for system use. For a full explanation of the memory manager, refer to MSDN and/or the System
Performance and Troubleshooting Guide chapter in the Windows Server 2003 Resource Kit.
If the size of the Free and Zero page list is large, then it is a good indicator of too much RAM installed on the
computer. A large amount of Free and Zero page list size is normal for computers that have been recently powered
on or booted. As the system accesses the hard disk placing pages of memory into the working sets of processes,
eventually many of those pages of memory will be discarded or paged out. When that happens, the memory is
often placed on the Standby list. A large Standby list is preferable because it uses the extra RAM as a disk cache.
Available memory is the sum of the Free, Zero, and Standby page lists, so a high amount of available memory with
a low amount of Zero and Free is preferred because the system is using the extra RAM as disk cache.
\Memory\Free 10% of 20% of 30% of
Hourly Std
Condition & Zero Page Min Avg Max Outliers Outliers Outliers
Trend Deviation
List Bytes Removed Removed Removed
No
ZACH-PC 65,536 17,498,484 89,174,016 115,834,880 28,019,674 10,330,931 6,306,930 3,271,168
Thresholds
Alerts
No Alerts Found
Back to the top
Memory Pool Paged Resident Bytes

Description: Pool Paged Resident Bytes is the size, in bytes, of the portion of the paged pool that is currently
resident and active in physical memory. The paged pool is an area of the system virtual memory that is used for
objects that can be written to disk when they are not being used. This counter displays the last observed value
only; it is not an average.

\Memory\Pool 10% of 20% of 30% of
Hourly Std
Condition Paged Min Avg Max Outliers Outliers Outliers
Trend Deviation
Resident Bytes Removed Removed Removed
No -
ZACH-PC 32,055,296 35,973,306 47,149,056 4,103,727 34,855,731 34,610,745 34,361,856
Alerts
No Alerts Found
Back to the top
Network Interface
Network Interface % Network Utilization

Description: % Network Utilization doesn't exist as a normal performance counter, so this analysis uses multiplies
\Network Interface(*)\Bytes Total/sec by 8 (to convert it to bits total/sec), divides it by \Network
Interface(*)\Current Bandwidth, and multiplies the result by 100 to create a percentage. This analysis throws
a warning alert when greater than 50 and throws a critical alert when greater than 80.
\Network 10% of 20% of 30% of
Hourly Std
Condition Interface(*)\% Min Avg Max Outliers Outliers Outliers
Trend Deviation
Network Utilization Removed Removed Removed
ZACH-PC/Atheros
OK AR5005G Wireless 0 0 0 0 0 0 0 0
Network Adapter
OK ZACH-PC/VIA Rhine 0 0 0 0 0 0 0 0
II Fast Ethernet
Adapter
Alerts
No Alerts Found
Back to the top
Network Interface Output Queue Length

Description:
No data to chart

Hourly Std
Condition Interface(*)\Output Min Avg Max Outliers Outliers Outliers
Trend Deviation
Queue Length Removed Removed Removed
ZACH-PC/VIA Rhine II
OK 0 0 0 0 0 0 0 0
Fast Ethernet Adapter
ZACH-PC/Atheros
OK AR5005G Wireless 0 0 0 0 0 0 0 0
Network Adapter
Alerts
No Alerts Found
Back to the top
Network Interface % Network Utilization Sent

Description: % Network Utilization Sent doesn't exist as a normal performance counter, so this analysis uses
multiplies \Network Interface(*)\Bytes Sent/sec by 8 (to convert it to bits total/sec), divides it by \Network
Interface(*)\Current Bandwidth, and multiplies the result by 100 to create a percentage. This analysis throws
a warning alert when greater than 50 and throws a critical alert when greater than 80.

\Network
10% of 20% of 30% of
Interface(*)\% Hourly Std
Network Utilization Trend Deviation
Sent
OK ZACH-PC/Atheros 0 0 0 0 0 0 0 0
AR5005G Wireless
Network Adapter
OK 0 0 0 0 0 0 0 0
Alerts
No Alerts Found
Back to the top
Network Interface % Network Utilization Received

Description: % Network Utilization Received doesn't exist as a normal performance counter, so this analysis uses
multiplies \Network Interface(*)\Bytes Received/sec by 8 (to convert it to bits total/sec), divides it by
\Network Interface(*)\Current Bandwidth, and multiplies the result by 100 to create a percentage. This
analysis throws a warning alert when greater than 50 and throws a critical alert when greater than 80.
\Network
10% of 20% of 30% of
Interface(*)\% Hourly Std
Network Utilization Trend Deviation
Received
ZACH-PC/Atheros
OK AR5005G Wireless 0 0 0 0 0 0 0 0
Network Adapter
OK 0 0 0 0 0 0 0 0
Alerts
No Alerts Found
Back to the top
Network Interface Packets Outbound Errors

Description: Packets Outbound Errors is the number of outbound packets that could not be transmitted because
of errors.
If errors are occuring during this analysis, network connectivity could be affected with a potential for random
Outlook RPC dialog boxes. See http://technet.microsoft.com/en-us/library/aa997363.aspx and
http://technet.microsoft.com/en-us/library/aa995850.asp for more information
No data to chart

Hourly Std
Condition Interface(*)\Packets Min Avg Max Outliers Outliers Outliers
Trend Deviation
Outbound Errors Removed Removed Removed
OK 0 0 0 0 0 0 0 0
ZACH-PC/Atheros
OK AR5005G Wireless 0 0 0 0 0 0 0 0
Network Adapter
Alerts
No Alerts Found
Back to the top

Network Interface Bytes Total/sec
Description: Bytes Total/sec is the rate at which bytes are sent and received over each network adapter, including
framing characters. Network Interface\Bytes Total/sec is a sum of Network Interface\Bytes Received/sec and
Network Interface\Bytes Sent/sec.

Hourly Std
Condition Interface(*)\Bytes Min Avg Max Outliers Outliers Outliers
Trend Deviation
Total/sec Removed Removed Removed
No ZACH-PC/VIA Rhine II
0 0 0 0 0 0 0 0
Thresholds Fast Ethernet Adapter
ZACH-PC/Atheros
No
AR5005G Wireless 0 0 0 0 0 0 0 0
Thresholds
Network Adapter
Alerts
No Alerts Found
Back to the top
Network Interface Current Bandwidth

Description: Current Bandwidth is an estimate of the current bandwidth of the network interface in bits per
second (BPS). For interfaces that do not vary in bandwidth or for those where no accurate estimation can be made,
this value is the nominal bandwidth.

Hourly Std
Min Avg Max 10% of Outliers Removed 20% of Outliers
Trend Deviation
000,000 10,000,000 10,000,000 0 0 10,000,000 10,000,000
23,372,036,854,780,000 9,223,372,036,854,780,000 9,223,372,036,854,780,000 0 0 9,223,372,036,854,780,000 9,223,372,036,85

Alerts
Time Range
2007.08.14-
15:40:38 - Hourly
2007.08.14- Trend
15:41:38
\\ZACH-PC\Network
Less than 1
Interface(VIA Rhine II Fast
Gbps 10,000,000 10,000,000 10,000,000 0
Ethernet Adapter)\Current
connection
Bandwidth
2007.08.14-
15:41:38 - Hourly
2007.08.14- Trend
15:42:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:42:38 - Hourly
2007.08.14- Trend
15:43:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:43:38 - Hourly
2007.08.14- Trend
15:44:38
Less than 1 \\ZACH-PC\Network 10,000,000 10,000,000 10,000,000 0
Gbps Interface(VIA Rhine II Fast
connection Ethernet Adapter)\Current

Bandwidth
2007.08.14-
15:44:38 - Hourly
2007.08.14- Trend
15:45:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:45:38 - Hourly
2007.08.14- Trend
15:46:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:46:38 - Hourly
2007.08.14- Trend
15:47:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:47:38 - Hourly
2007.08.14- Trend
15:48:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:48:38 - Hourly
2007.08.14- Trend
15:49:38
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
2007.08.14-
15:49:38 - Hourly
2007.08.14- Trend
15:49:58
\\ZACH-PC\Network
Less than 1
Gbps 10,000,000 10,000,000 10,000,000 0
connection
Bandwidth
Back to the top
Network Interface Packets/sec

Description: Packets/sec is the rate at which packets are sent and received on the network interface.
10% of 20% of 30% of
\Network Hourly Std
Interface(*)\Packets/sec Trend Deviation
No ZACH-PC/VIA Rhine II Fast

0 0 0 0 0 0 0 0
Thresholds Ethernet Adapter
No ZACH-PC/Atheros AR5005G
0 0 0 0 0 0 0 0
Thresholds Wireless Network Adapter
Alerts
No Alerts Found
Back to the top
Network Interface Packets Sent/sec

Description: Packets Sent/sec is the rate at which packets are sent on the network interface.
Hourly Std
Trend Deviation
Sent/sec Removed Removed Removed
0 0 0 0 0 0 0 0
ZACH-PC/Atheros
No
AR5005G Wireless 0 0 0 0 0 0 0 0
Thresholds
Network Adapter
Alerts
No Alerts Found
Back to the top
Network Interface Packets Received/sec

Description: Packets Received/sec is the rate at which packets are received on the network interface.
Hourly Std
Trend Deviation
Received/sec Removed Removed Removed
0 0 0 0 0 0 0 0
No ZACH-PC/Atheros 0 0 0 0 0 0 0 0
Thresholds AR5005G Wireless

Network Adapter
Alerts
No Alerts Found
Back to the top
PhysicalDisk
PhysicalDisk Read Latency Analysis

Description: Avg. Disk sec/Read is the average time, in seconds, of a read of data to the disk. This analysis
determines if any of the physical disks are responding slowly.
If the response times are greater than 0.015 (15 milliseconds), then the disk subsystem is keeping up with
demand.
Reference:
10% of 20% of 30% of
\PhysicalDisk(*)\Avg. Hourly Std
Disk sec/Read Trend Deviation
Greater ZACH-PC/0 C: .005 .018 .048 0 .015 .014 .011 .009
than 25 ms
physical
disk READ
response
times
Alerts
Time Range
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
Greater than 15 ms
\\ZACH-PC\PhysicalDisk(0
physical disk READ .016 .016 .016 1
C:)\Avg. Disk sec/Read
response times
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
Greater than 25 ms
response times
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
Greater than 25 ms
response times
2007.08.14-15:48:38 - Hourly
2007.08.14-15:49:38 Trend
Greater than 25 ms
response times
Back to the top
PhysicalDisk Write Latency Analysis

Description: Avg. Disk sec/Write is the average time, in seconds, of a write of data to the disk. This analysis
determines if any of the physical disks are responding slowly.
If the response times are greater than 0.015 (15 milliseconds), then the disk subsystem is keeping up with
demand.
Reference:

10% of 20% of 30% of
Disk sec/Write Trend Deviation
Greater ZACH-PC/0 C: 0 .006 .017 0 .007 .005 .003 .002

than 15 ms
physical
disk WRITE
response
times
Alerts
Time Range
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
Greater than 15 ms
physical disk WRITE .017 .017 .017 0
C:)\Avg. Disk sec/Write
response times
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
Greater than 15 ms
physical disk WRITE .016 .016 .016 0
C:)\Avg. Disk sec/Write
response times
Back to the top
PhysicalDisk Current Disk Queue Length

Description: Current Disk Queue Length is the number of requests outstanding on the disk at the time the
performance data is collected. It also includes requests in service at the time of the collection. This is a
instantaneous snapshot, not an average over the time interval. Multi-spindle disk devices can have multiple
requests that are active at one time, but other concurrent requests are awaiting service. This counter might reflect
a transitory high or low queue length, but if there is a sustained load on the disk drive, it is likely that this will be
consistently high. Requests experience delays proportional to the length of this queue minus the number of
spindles on the disks. For good performance, this difference should average less than two.
If the server is using an HBA (Host Bus Adapter: This is used to connect to a Storage Area Network SAN) and if the
Current Disk Queue Length goes up to 32 frequently, then consider increasing the queue depth on the HBA to allow
more concurrent I/O to the SAN. Please consult your SAN administrator before making any changes.
10% of 20% of 30% of
\PhysicalDisk(*)\Current Hourly Std
OK ZACH-PC/0 C: 1 1 2 -60 0 1 1 1
Alerts
No Alerts Found
Back to the top
PhysicalDisk Avg. Disk Queue Length

Description: Avg. Disk Queue Length is the average number of both read and write requests that were queued for
the selected disk during the sample interval.

10% of 20% of 30% of
More than 2
I/O's are
waiting on ZACH-PC/0 C: 0 1 3 0 1 1 0 0
the physical
disk
Alerts
Time Range
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
More than 2 I/O's are

waiting on the physical 3 3 3 180
C:)\Avg. Disk Queue Length
disk
Back to the top
PhysicalDisk Disk Bytes/sec

Description: Disk Bytes/sec is the rate bytes are transferred to or from the disk during write or read operations.
10% of 20% of 30% of
\PhysicalDisk(*)\Disk Hourly Std
Bytes/sec Trend Deviation
No -
ZACH-PC/0 C: 43,963 1,143,916 2,453,652 937,983 998,390 819,816 655,214
Alerts
No Alerts Found
Back to the top
Process
Process Private Bytes

Description: This analysis determines if one or more processes are leaking private, committed, memory over
time. A process consuming large portions of memory is okay as long as the process returns the memory back to
the system. Look for increasing trends in the chart. An increasing trend over a long period of time could indicate a
system committed memory leak. Private Bytes is the current size, in bytes, of memory that this process has
allocated that cannot be shared with other processes. This analysis checks for a 100 MB per hour increasing trend.
Use this analysis in correlation with the \Memory\Committed Bytes performance counter.
Use this analysis in correlation with the \Memory\Committed Bytes. If you suspect a memory leak condition,
then install and use the Debug Diag tool. For more information on the Debug Diag Tool, see the references section.
References:
Debug Diagnostic Tool v1.1 http://www.microsoft.com/downloads/details.aspx?FamilyID=28bd5941-c458-46f1-
b24d-f60151d875a3&displaylang=en
10% of 20% of 30% of
\Process(*)\Private Std
Condition Min Avg Max Hourly Trend Outliers Outliers Outliers
Bytes Deviation
ZACH-
OK 27,443,200 27,713,908 27,820,032 7,536,640 137,755 27,703,296 27,690,325 27,674,112
PC/SearchIndexer
OK ZACH-PC/SLsvc 4,145,152 4,145,152 4,145,152 0 0 4,145,152 4,145,152 4,145,152
OK ZACH-PC/PowerStarter 60,719,104 60,719,104 60,719,104 - 0 60,719,104 60,719,104 60,719,104

1,214,382,100
OK ZACH-PC/System 3,047,424 3,047,424 3,047,424 0 0 3,047,424 3,047,424 3,047,424
OK ZACH-PC/ApntEx 1,224,704 1,224,704 1,224,704 0 0 1,224,704 1,224,704 1,224,704
OK ZACH-PC/smss 258,048 258,048 258,048 0 0 258,048 258,048 258,048
OK ZACH-PC/csrss#1 10,801,152 10,808,227 10,878,976 -1,556,480 23,465 10,801,152 10,801,152 10,801,152
OK ZACH-PC/csrss 1,654,784 1,680,105 1,691,648 737,280 16,569 1,678,950 1,677,540 1,675,776
OK ZACH-PC/lsass 3,158,016 3,161,367 3,194,880 0 11,115 3,158,016 3,158,016 3,158,016
OK ZACH-PC/ccApp 9,797,632 9,803,217 9,818,112 409,600 9,566 9,801,728 9,799,908 9,797,632
OK ZACH-PC/spoolsv 5,963,776 5,971,968 6,053,888 0 27,170 5,963,776 5,963,776 5,963,776
OK ZACH-PC/taskeng#1 1,482,752 1,495,040 1,531,904 -983,040 19,036 1,491,354 1,487,303 1,485,312
OK ZACH-PC/taskeng 8,601,600 8,644,794 8,798,208 3,932,160 76,462 8,629,453 8,610,702 8,609,280
OK ZACH-PC/taskmgr 1,855,488 1,918,417 1,961,984 2,129,920 29,267 1,914,061 1,911,012 1,907,200
OK ZACH-PC/Apoint 2,113,536 2,113,536 2,113,536 0 0 2,113,536 2,113,536 2,113,536
OK ZACH-PC/wininit 1,171,456 1,171,456 1,171,456 0 0 1,171,456 1,171,456 1,171,456
OK ZACH-PC/audiodg 11,337,728 11,425,978 11,956,224 2,048,000 178,657 11,372,954 11,363,214 11,360,256
OK ZACH-PC/svchost#12 1,273,856 1,273,856 1,273,856 0 0 1,273,856 1,273,856 1,273,856
OK ZACH-PC/svchost#8 9,842,688 9,868,381 9,912,320 -1,392,640 25,122 9,863,987 9,858,617 9,856,000
OK ZACH-PC/svchost#7 13,152,256 13,376,419 14,053,376 18,022,400 342,608 13,308,723 13,230,535 13,201,408
OK ZACH-PC/svchost#6 6,799,360 6,802,711 6,811,648 -245,760 5,740 6,801,818 6,800,725 6,799,360
OK ZACH-PC/svchost#5 22,315,008 22,351,872 22,478,848 163,840 50,731 22,339,174 22,330,482 22,328,320
OK ZACH-PC/svchost#1 2,859,008 2,886,935 2,928,640 573,440 21,814 2,882,765 2,879,033 2,877,440
OK ZACH-PC/svchost 2,371,584 2,388,340 2,404,352 81,920 16,121 2,386,739 2,384,782 2,382,336
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/sidebar 4,902,912 4,902,912 4,902,912 0 0 4,902,912 4,902,912 4,902,912
OK ZACH-PC/XAudio 741,376 741,376 741,376 0 0 741,376 741,376 741,376
OK ZACH-PC/AppSvc32 9,375,744 11,816,215 34,701,312 4,341,760 7,590,780 9,527,706 9,520,469 9,511,424
OK ZACH-PC/rundll32#1 5,115,904 8,035,328 10,326,016 -102,318,100 2,158,757 7,271,765 7,271,765 7,271,765

OK ZACH-PC/rundll32 5,967,872 6,077,347 6,103,040 2,703,360 39,800 6,074,778 6,071,637 6,067,712
OK ZACH-PC/MSASCui 5,828,608 5,828,608 5,828,608 0 0 5,828,608 5,828,608 5,828,608
ZACH-
OK 3,063,808 3,063,808 3,063,808 0 0 3,063,808 3,063,808 3,063,808
PC/AluSchedulerSvc
OK ZACH-PC/PowerDVD 13,455,360 13,455,360 13,455,360 -269,107,220 0 13,455,360 13,455,360 13,455,360
OK ZACH-PC/explorer 36,818,944 39,550,976 57,470,976 56,934,400 6,106,421 37,758,976 37,508,892 37,196,288
ZACH-
OK 3,420,160 3,420,160 3,420,160 -68,403,220 0 3,420,160 3,420,160 3,420,160
PC/SearchFilterHost
-
OK ZACH-PC/Solitaire 138,231,808 138,231,808 138,231,808 0 138,231,808 138,231,808 138,231,808
2,764,636,180
OK ZACH-PC/ApMsgFwd 671,744 671,744 671,744 0 0 671,744 671,744 671,744
OK ZACH-PC/WmiPrvSE 3,682,304 4,286,874 5,107,712 -76,922,900 687,113 4,081,664 4,081,664 4,081,664
OK ZACH-PC/symlcsvc 2,404,352 2,404,352 2,404,352 0 0 2,404,352 2,404,352 2,404,352
OK ZACH-PC/RichVideo 1,073,152 1,073,152 1,073,152 0 0 1,073,152 1,073,152 1,073,152
ZACH-
OK 5,873,664 5,873,664 5,873,664 -117,473,300 0 5,873,664 5,873,664 5,873,664
PC/SearchProtocolHost
OK ZACH-PC/wmpnscfg 1,466,368 1,466,368 1,466,368 0 0 1,466,368 1,466,368 1,466,368
OK ZACH-PC/services 2,195,456 2,227,479 2,252,800 0 18,024 2,224,947 2,221,852 2,217,984
OK ZACH-PC/wmpnetwk 15,208,448 15,208,448 15,208,448 0 0 15,208,448 15,208,448 15,208,448
OK ZACH-PC/ccSvcHst 29,077,504 29,088,675 29,097,984 409,600 8,211 29,087,744 29,087,061 29,086,208
OK ZACH-PC/winlogon 1,863,680 1,863,680 1,863,680 0 0 1,863,680 1,863,680 1,863,680
OK ZACH-PC/dwm 1,265,664 1,271,249 1,286,144 0 9,566 1,269,760 1,267,940 1,265,664
OK ZACH-PC/lsm 1,388,544 1,408,652 1,441,792 983,040 24,743 1,405,338 1,401,287 1,396,736
OK ZACH-PC/cmd 2,002,944 2,002,944 2,002,944 -40,058,900 0 2,002,944 2,002,944 2,002,944
OK ZACH-PC/mmc 15,732,736 16,007,168 16,183,296 5,488,640 115,925 15,989,555 15,974,855 15,961,088
Alerts
Time Range
2007.08.14-
15:41:38 -
2007.08.14-
15:42:38
Increasing \\ZACH- 8,269,824 8,269,824 8,269,824 567,705,600

trend of
more than
100 MB
per hour -
may not
PC\Process(rundll32#1)\Private
be
Bytes
accurate
on counter
logs of
less than 1
hour
2007.08.14-
15:42:38 -
2007.08.14-
15:43:38
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(rundll32#1)\Private 8,429,568 8,429,568 8,429,568 298,229,760
be
Bytes
accurate
on counter
logs of
less than 1
hour
2007.08.14-
15:43:38 -
2007.08.14-
15:44:38
Increasing \\ZACH- 34,701,312 34,701,312 34,701,312 1,519,534,080
trend of PC\Process(AppSvc32)\Private
more than Bytes
100 MB
per hour -
may not
be
accurate
on counter
logs of
less than 1
hour
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(rundll32#1)\Private 10,326,016 10,326,016 10,326,016 312,606,720
be
Bytes
accurate
on counter
logs of
less than 1
hour
2007.08.14-
15:46:38 -
2007.08.14-
15:47:38
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(explorer)\Private 57,470,976 57,470,976 57,470,976 619,560,960
be
Bytes
accurate
on counter
logs of
less than 1
hour
Back to the top
Process Handle Count

Description: This analysis checks each process to determine if there is a handle leak and if more than 20,000
handles are open by a process. Handle leaks can be attributed to system committed memory leaks. If this analysis
throws alerts, then you need to manually open the performance monitor log and look at the instances
\Process(*)\Handle Count to determine which process is leaking handles. More than 20,000 handles may
indicate a handle leak which might be related to ephemeral port exhaustion.

10% of 20% of 30% of
\Process(*)\Handle Hourly Std
Count Trend Deviation
Increasing ZACH- 633 649 676 520 16 646 645 643
trend of PC/SearchIndexer
more than
100
handles per
hour
OK ZACH-PC/SLsvc 91 91 91 0 0 91 91 91
OK ZACH-PC/PowerStarter 219 219 219 -4,400 0 219 219 219
OK ZACH-PC/System 2,204 2,205 2,208 40 1 2,205 2,205 2,205
OK ZACH-PC/ApntEx 52 52 56 0 1 52 52 52
OK ZACH-PC/smss 28 28 28 0 0 28 28 28
Increasing
trend of
more than
ZACH-PC/csrss#1 321 336 344 320 8 335 334 333
100
handles per
hour
OK ZACH-PC/csrss 556 565 575 0 7 564 564 563
OK ZACH-PC/lsass 581 590 602 60 7 589 588 587
OK ZACH-PC/ccApp 530 531 535 100 2 531 530 530
OK ZACH-PC/spoolsv 306 306 306 0 0 306 306 306
OK ZACH-PC/taskeng#1 90 92 96 -80 2 92 91 91
Increasing
trend of
more than
ZACH-PC/taskeng 317 320 326 180 3 320 319 319
100
handles per
hour
OK ZACH-PC/taskmgr 96 98 100 60 1 98 97 97
OK ZACH-PC/Apoint 95 95 95 0 0 95 95 95
OK ZACH-PC/wininit 74 74 74 0 0 74 74 74
Increasing
trend of
more than
ZACH-PC/audiodg 108 114 124 240 5 113 112 111
100
handles per
hour
OK ZACH-PC/svchost#12 85 85 85 0 0 85 85 85
OK ZACH-PC/svchost#8 262 268 274 -220 3 268 267 267
Increasing
trend of
more than
ZACH-PC/svchost#7 386 394 398 240 4 394 394 393
100
handles per
hour
OK ZACH-PC/svchost#5 1,020 1,036 1,058 -480 13 1,034 1,032 1,030
Increasing
trend of
more than
ZACH-PC/svchost#3 423 427 433 160 4 427 426 426
100
handles per
hour
OK ZACH-PC/svchost 275 277 279 20 1 277 277 277
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/sidebar 143 143 143 0 0 143 143 143
OK ZACH-PC/XAudio 37 37 37 0 0 37 37 37
OK ZACH-PC/AppSvc32 282 284 303 0 6 282 282 282
OK ZACH-PC/rundll32#1 175 288 340 -3,520 76 270 270 270
OK ZACH-PC/rundll32 223 224 224 20 0 224 224 224
OK ZACH-PC/MSASCui 321 321 321 0 0 321 321 321
ZACH-
OK 206 207 209 40 1 207 207 207
PC/AluSchedulerSvc
OK ZACH-PC/PowerDVD 298 298 298 -5,980 0 298 298 298
OK ZACH-PC/explorer 680 693 748 -60 18 688 687 687
ZACH-
OK 111 112 112 -2,260 1 111 111 112
PC/SearchFilterHost
OK ZACH-PC/Solitaire 207 207 207 -4,160 0 207 207 207
OK ZACH-PC/ApMsgFwd 29 29 29 0 0 29 29 29
OK ZACH-PC/WmiPrvSE 211 222 241 -4,400 11 217 217 217
OK ZACH-PC/symlcsvc 118 118 118 0 0 118 118 118
OK ZACH-PC/RichVideo 66 66 66 0 0 66 66 66
ZACH-
OK 294 296 298 -5,980 3 294 294 298
OK ZACH-PC/wmpnscfg 98 98 98 0 0 98 98 98
OK ZACH-PC/services 220 223 225 -20 1 223 223 222
OK ZACH-PC/wmpnetwk 438 438 438 0 0 438 438 438
Increasing
trend of
more than
ZACH-PC/ccSvcHst 685 687 691 120 2 687 687 686
100
handles per
hour
OK ZACH-PC/winlogon 122 122 122 0 0 122 122 122
OK ZACH-PC/dwm 81 82 84 0 1 81 81 81
OK ZACH-PC/lsm 139 140 145 40 2 140 139 139
OK ZACH-PC/cmd 19 19 19 -400 0 19 19 19
Increasing
trend of
more than
ZACH-PC/mmc 345 360 370 300 6 359 359 358
100
handles per
hour
Alerts
Time Range
2007.08.14-
15:41:38 - Hourly
2007.08.14- Trend
15:42:38
Increasing trend of
\\ZACH-PC\Process(System)\Handle
more than 100 2,205 2,205 2,205 180
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(ApntEx)\Handle
more than 100 56 56 56 720
Count
handles per hour
Increasing trend of
more than 100 599 599 599 1,260
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(taskeng)\Handle
more than 100 321 321 321 720
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(taskmgr)\Handle
more than 100 98 98 98 180
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 274 274 274 180
PC\Process(svchost#8)\Handle Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 396 396 396 1,800
handles per hour
Increasing trend of
\\ZACH-
more than 100 480 480 480 540
handles per hour
Increasing trend of
\\ZACH-
more than 100 307 307 307 23,760
PC\Process(rundll32#1)\Handle Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(rundll32)\Handle
more than 100 224 224 224 180
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(explorer)\Handle
more than 100 689 689 689 540
Count
handles per hour
Increasing trend of
more than 100 82 82 82 180
Count
handles per hour
Increasing trend of
more than 100 362 362 362 3,060
Count
handles per hour
2007.08.14- Condition Counter Min Avg Max Hourly

15:42:38 -
2007.08.14- Trend
15:43:38
Increasing trend of
more than 100 319 319 319 180
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 390 390 390 360
handles per hour
Increasing trend of
\\ZACH-
more than 100 329 329 329 13,860
handles per hour
Increasing trend of
more than 100 689 689 689 270
Count
handles per hour
Increasing trend of
more than 100 360 360 360 1,350
Count
handles per hour
2007.08.14-
15:43:38 - Hourly
2007.08.14- Trend
15:44:38
Increasing trend of \\ZACH-
more than 100 PC\Process(SearchIndexer)\Handle 635 635 635 120
handles per hour Count
Increasing trend of
more than 100 2,206 2,206 2,206 120
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(csrss#1)\Handle
more than 100 338 338 338 600
Count
handles per hour
Increasing trend of
more than 100 602 602 602 600
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 397 397 397 660
handles per hour
Increasing trend of
\\ZACH-
more than 100 430 430 430 300
handles per hour
Increasing trend of
\\ZACH-
more than 100 288 288 288 120
handles per hour
Increasing trend of
\\ZACH-
more than 100 303 303 303 1,260
PC\Process(AppSvc32)\Handle Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 340 340 340 9,900
handles per hour
Increasing trend of
more than 100 692 692 692 360
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 241 241 241 1,320
PC\Process(WmiPrvSE)\Handle Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(ccSvcHst)\Handle
more than 100 689 689 689 240
Count
handles per hour
Increasing trend of
more than 100 142 142 142 180
Count
handles per hour
Increasing trend of
more than 100 364 364 364 1,140
Count
handles per hour
2007.08.14-
15:44:38 - Hourly
2007.08.14- Trend
15:45:38
Increasing trend of
more than 100 341 341 341 585
Count
handles per hour
Increasing trend of
more than 100 572 572 572 135
Count
handles per hour
Increasing trend of
more than 100 597 597 597 225
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(ccApp)\Handle
more than 100 535 535 535 225
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(audiodg)\Handle
more than 100 123 123 123 495
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 397 397 397 495
handles per hour
Increasing trend of
\\ZACH-
more than 100 429 429 429 180
handles per hour
Increasing trend of
\\ZACH-
more than 100 289 289 289 135
handles per hour
Increasing trend of
more than 100 690 690 690 180
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 223 223 223 180
PC\Process(WmiPrvSE)\Handle Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(ccSvcHst)\Handle
more than 100 691 691 691 270
Count
handles per hour
Increasing trend of
more than 100 84 84 84 135
Count
handles per hour
Increasing trend of
more than 100 145 145 145 270
Count
handles per hour
Increasing trend of
more than 100 359 359 359 630
Count
handles per hour

15:45:38 -
2007.08.14- Trend
15:46:38
Increasing trend of
more than 100 2,208 2,208 2,208 144
Count
handles per hour
Increasing trend of
more than 100 332 332 332 144
Count
handles per hour
Increasing trend of
more than 100 575 575 575 216
Count
handles per hour
Increasing trend of
more than 100 320 320 320 108
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 394 394 394 288
handles per hour
Increasing trend of
\\ZACH-
more than 100 433 433 433 288
handles per hour
Increasing trend of
more than 100 690 690 690 144
Count
handles per hour
Increasing trend of
more than 100 360 360 360 540
Count
handles per hour
2007.08.14-
15:46:38 - Hourly
2007.08.14- Trend
15:47:38
more than 100 PC\Process(SearchIndexer)\Handle 676 676 676 1,290

Increasing trend of
more than 100 344 344 344 480
Count
handles per hour
Increasing trend of
more than 100 322 322 322 150
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 394 394 394 240
handles per hour
Increasing trend of
more than 100 748 748 748 1,860
Count
handles per hour
Increasing trend of
more than 100 360 360 360 450
Count
handles per hour
2007.08.14-
15:47:38 - Hourly
2007.08.14- Trend
15:48:38
Increasing trend of
more than 100 341 341 341 334
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 397 397 397 283
handles per hour
Increasing trend of
more than 100 690 690 690 103
Count
handles per hour
Increasing trend of
more than 100 362 362 362 437
Count
handles per hour
15:48:38 - Trend
2007.08.14-
15:49:38
Increasing trend of
more than 100 342 342 342 315
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 394 394 394 180
handles per hour
Increasing trend of
more than 100 360 360 360 338
Count
handles per hour
2007.08.14-
15:49:38 - Hourly
2007.08.14- Trend
15:49:58
Increasing trend of
more than 100 344 344 344 320
Count
handles per hour
Increasing trend of
more than 100 326 326 326 180
Count
handles per hour
Increasing trend of
\\ZACH-PC\Process(audiodg)\Handle
more than 100 124 124 124 240
Count
handles per hour
Increasing trend of
\\ZACH-
more than 100 398 398 398 240
handles per hour
Increasing trend of
\\ZACH-
more than 100 433 433 433 160
handles per hour
Increasing trend of \\ZACH-PC\Process(ccSvcHst)\Handle 691 691 691 120
more than 100 Count

handles per hour
Increasing trend of
more than 100 360 360 360 300
Count
handles per hour
Back to the top
Process Thread Count

Description: The number of threads currently active in this process. An instruction is the basic unit of execution in
a processor, and a thread is the object that executes instructions. Every running process has at least one thread.
This analysis checks each process to determine if it is leaking more than 100 threads per hour and if it has more
than 1000 threads. A process with a large number of threads and/or an aggressive upward trend could indicate a
thread leak which typically results in a system committed memory leak and/or high context switching. High context
switching will result in high privileged mode CPU usage.

10% of 20% of 30% of
\Process(*)\Thread Hourly Std
Count Trend Deviation
ZACH-
OK 16 17 18 20 0 17 17 17
PC/SearchIndexer
OK ZACH-PC/SLsvc 4 4 4 0 0 4 4 4
OK ZACH-PC/PowerStarter 4 4 4 -100 0 4 4 4
OK ZACH-PC/System 92 92 92 0 0 92 92 92
OK ZACH-PC/ApntEx 3 3 3 0 0 3 3 3
OK ZACH-PC/smss 4 4 4 0 0 4 4 4
OK ZACH-PC/csrss#1 10 10 10 0 0 10 10 10
OK ZACH-PC/csrss 11 11 11 0 0 11 11 11
OK ZACH-PC/lsass 10 10 11 0 0 10 10 10
OK ZACH-PC/ccApp 45 45 46 20 0 45 45 45
OK ZACH-PC/taskeng 15 16 16 20 1 16 15 15
OK ZACH-PC/Apoint 3 3 3 0 0 3 3 3
OK ZACH-PC/audiodg 3 4 8 80 1 4 4 4
OK ZACH-PC/Idle 1 1 1 0 0 1 1 1
OK ZACH-PC/XAudio 2 2 2 0 0 2 2 2
OK ZACH-PC/AppSvc32 10 10 11 0 0 10 10 10
OK ZACH-PC/rundll32#1 3 6 8 -80 2 5 5 5
OK ZACH-PC/rundll32 3 4 4 20 0 4 4 4
ZACH-
OK 6 6 6 0 0 6 6 6
PC/AluSchedulerSvc
OK ZACH-PC/PowerDVD 12 12 12 -260 0 12 12 12
OK ZACH-PC/explorer 30 31 37 0 2 30 30 30
ZACH-
OK 5 5 5 -120 0 5 5 5
PC/SearchFilterHost
OK ZACH-PC/Solitaire 7 7 7 -160 0 7 7 7
OK ZACH-PC/WmiPrvSE 4 6 6 -140 1 6 6 6
ZACH-
OK 6 6 6 -140 0 6 6 6
OK ZACH-PC/services 5 6 7 0 1 6 6 6
OK ZACH-PC/ccSvcHst 58 59 59 20 1 59 59 58
OK ZACH-PC/dwm 3 3 4 0 0 3 3 3
OK ZACH-PC/lsm 9 9 10 20 1 9 9 9
OK ZACH-PC/cmd 1 1 1 -40 0 1 1 1
OK ZACH-PC/mmc 13 14 15 20 1 14 14 14
Alerts
Time Range
2007.08.14-
15:41:38 - Hourly
2007.08.14- Trend
15:42:38
Increasing trend of more \\ZACH- 17 17 17 180
than 100 threads per hour PC\Process(SearchIndexer)\Thread
- may not be accurate on Count

counter logs of less than 1
hour
Increasing trend of more
than 100 threads per hour

\\ZACH-PC\Process(lsass)\Thread
- may not be accurate on 11 11 11 180
Count
hour

\\ZACH-PC\Process(taskeng)\Thread
Count
hour

\\ZACH-
PC\Process(svchost#7)\Thread Count
hour
than 100 threads per hour \\ZACH-
- may not be accurate on PC\Process(rundll32#1)\Thread 6 6 6 540
counter logs of less than 1 Count
hour

\\ZACH-PC\Process(rundll32)\Thread
Count
hour

\\ZACH-PC\Process(dwm)\Thread
Count
hour

\\ZACH-PC\Process(mmc)\Thread
Count
hour

15:42:38 -
2007.08.14- Trend
15:43:38
hour

Count
hour
2007.08.14-
15:43:38 - Hourly
2007.08.14- Trend
15:44:38
- may not be accurate on PC\Process(SearchIndexer)\Thread 18 18 18 120
hour
hour

Count
hour
2007.08.14-
15:46:38 - Hourly
2007.08.14- Trend
15:47:38
Increasing trend of more \\ZACH-PC\Process(explorer)\Thread 37 37 37 210
than 100 threads per hour Count

- may not be accurate on
hour
Back to the top
Process Working Set

Description: Working Set is the current size, in bytes, of the Working Set of a process. The Working Set is the set
of memory pages touched recently by the threads in the process. It is the amount of RAM consumed by each
process. If available physical memory (RAM) in the computer is above a threshold, pages are left in the Working
Set of a process longer. When available memory falls below a threshold, pages are trimmed from Working Sets
more frequently than when not in a low available memory condition. If the trimmed page are still in RAM, but not
in the processes working set (due to being trimmed), then some of them may be soft-faulted (RAM to RAM) back
into the Working Set.
This analysis checks for an increasing trend of 100 MB or more per hour in all of the processes combined. This
could be an aggressive working set (RAM usage) leak, but keep in mind that this is only tracking the amount of
RAM used by all of the processes and does not include committed memory that has trimmed from the working set.
This is generally why Private Bytes is a better counter to use for general memory leaks. With that said, Working
Set is a helpful counter to have when analyzing low physical memory conditions that might be induced by page
locking which can preven the virtual memory manager from trimming. Use this analysis in correlation with
Available Memory Analysis.
Reference:
The Case of the Out of Memory BizTalk Server

10% of 20% of 30% of
\Process(*)\Working Std
Set Deviation
OK ZACH-PC/SearchIndexer 2,670,592 5,842,758 9,207,808 -50,790,400 1,820,773 5,506,253 5,373,042 5,210,112
OK ZACH-PC/SLsvc 430,080 937,612 3,080,192 -53,002,240 848,346 723,354 630,329 514,048
-
OK ZACH-PC/PowerStarter 65,740,800 65,740,800 65,740,800 0 65,740,800 65,740,800 65,740,800
1,314,816,020
OK ZACH-PC/System 188,416 309,807 786,432 -10,977,280 171,458 262,144 247,580 232,448
OK ZACH-PC/ApntEx 450,560 523,171 663,552 -2,293,760 62,445 509,133 504,718 499,200
OK ZACH-PC/smss 86,016 86,016 86,016 0 0 86,016 86,016 86,016
OK ZACH-PC/csrss#1 2,236,416 2,634,473 3,751,936 -26,542,080 434,816 2,522,726 2,474,894 2,419,712
OK ZACH-PC/csrss 1,044,480 1,140,177 1,556,480 -9,338,880 140,264 1,098,547 1,094,542 1,090,560
OK ZACH-PC/lsass 1,155,072 1,800,751 2,080,768 -9,420,800 311,120 1,772,749 1,738,524 1,698,304
OK ZACH-PC/ccApp 544,768 1,692,765 3,403,776 47,431,680 924,251 1,521,664 1,334,841 1,249,280
OK ZACH-PC/spoolsv 479,232 825,903 1,544,192 -9,748,480 342,732 754,074 720,441 678,400
OK ZACH-PC/taskeng#1 1,638,400 2,577,873 4,190,208 -46,530,560 1,122,572 2,416,640 2,220,942 1,978,880
OK ZACH-PC/taskmgr 3,649,536 4,202,868 5,931,008 -43,663,360 773,965 4,030,054 3,921,237 3,785,728
OK ZACH-PC/Apoint 475,136 579,770 868,352 -6,717,440 119,395 550,912 530,660 522,752
OK ZACH-PC/wininit 139,264 141,498 155,648 -327,680 4,971 140,083 139,719 139,264
OK ZACH-PC/audiodg 3,149,824 6,539,450 8,130,560 655,360 1,904,073 6,380,339 6,240,028 6,068,736
OK ZACH-PC/svchost#12 364,544 560,780 1,515,520 -23,019,520 356,679 465,306 430,990 388,096
OK ZACH-PC/svchost#11 151,552 217,460 593,920 -8,847,360 133,060 179,814 170,212 158,208
OK ZACH-PC/svchost#10 143,360 161,233 237,568 -1,884,160 29,835 153,600 150,642 146,944
OK ZACH-PC/svchost#9 450,560 710,470 1,929,216 -29,573,120 459,732 588,595 544,313 488,960
OK ZACH-PC/svchost#5 7,860,224 8,428,823 12,488,704 -91,013,120 1,354,390 8,022,835 7,992,206 7,969,280
OK ZACH-PC/svchost 1,662,976 1,824,582 2,416,640 -12,206,080 203,439 1,765,376 1,760,825 1,755,136
OK ZACH-PC/Idle 28,672 28,672 28,672 0 0 28,672 28,672 28,672
OK ZACH-PC/sidebar 638,976 808,774 1,191,936 -7,782,400 144,565 770,458 761,856 751,616
OK ZACH-PC/XAudio 126,976 129,210 151,552 -491,520 7,410 126,976 126,976 126,976
OK ZACH-PC/AppSvc32 933,888 5,404,486 34,508,800 17,121,280 9,687,564 2,494,054 2,438,485 2,369,024
OK ZACH-PC/rundll32#1 9,990,144 13,018,112 15,470,592 -199,802,900 2,265,211 12,200,619 12,200,619 12,200,619
OK ZACH-PC/rundll32 2,969,600 4,767,744 8,740,864 -110,919,680 2,595,846 4,370,432 3,888,014 3,300,352

OK ZACH-PC/MSASCui 434,176 1,108,154 2,678,784 -39,321,600 679,001 951,091 873,813 777,216
ZACH-
OK 339,968 925,696 1,159,168 -13,434,880 294,753 902,349 874,724 849,920
PC/AluSchedulerSvc
OK ZACH-PC/PowerDVD 14,254,080 14,254,080 14,254,080 -285,081,620 0 14,254,080 14,254,080 14,254,080
OK ZACH-PC/explorer 14,544,896 20,644,957 27,312,128 73,236,480 5,404,725 19,978,240 19,283,058 18,415,104
ZACH-
OK 5,029,888 5,271,552 5,513,216 -110,264,340 341,765 5,029,888 5,029,888 5,513,216
PC/SearchFilterHost
-
2,045,296,660
OK ZACH-PC/ApMsgFwd 188,416 200,704 245,760 -1,146,880 19,212 196,198 193,877 190,976
OK ZACH-PC/WmiPrvSE 3,350,528 4,086,170 5,632,000 -112,640,020 997,427 3,699,712 3,699,712 3,699,712
OK ZACH-PC/symlcsvc 221,184 224,163 229,376 -163,840 4,133 223,642 223,004 222,208
OK ZACH-PC/RichVideo 139,264 186,927 425,984 -5,734,400 87,357 163,021 156,103 147,456
ZACH-
OK 7,467,008 7,907,328 8,347,648 -166,952,980 622,707 7,467,008 7,467,008 8,347,648
OK ZACH-PC/wmpnscfg 266,240 438,644 720,896 -4,915,200 123,798 410,419 403,228 394,240
OK ZACH-PC/services 1,613,824 2,025,658 2,310,144 -3,522,560 199,180 1,997,210 1,982,009 1,964,032
OK ZACH-PC/wmpnetwk 1,953,792 2,195,828 3,239,936 -23,838,720 409,962 2,091,418 2,026,610 1,992,704
OK ZACH-PC/ccSvcHst 2,166,784 4,377,879 6,017,024 -56,197,120 958,653 4,213,965 4,119,666 4,012,544
OK ZACH-PC/winlogon 204,800 340,340 921,600 -14,336,000 227,956 282,214 258,048 227,840
OK ZACH-PC/dwm 827,392 1,123,421 1,232,896 8,028,160 149,008 1,112,474 1,099,548 1,083,392
OK ZACH-PC/lsm 557,056 850,479 950,272 245,760 146,202 840,499 831,033 819,200
OK ZACH-PC/cmd 1,867,776 1,867,776 1,867,776 -37,355,540 0 1,867,776 1,867,776 1,867,776
OK ZACH-PC/mmc 9,375,744 11,694,825 14,614,528 -66,682,880 2,038,594 11,402,854 11,055,104 10,745,344
Alerts
Time Range
2007.08.14-
15:41:38 -
2007.08.14-
15:42:38
Increasing \\ZACH- 13,156,352 13,156,352 13,156,352 569,917,440
trend of PC\Process(rundll32#1)\Working
more than
100 MB
per hour -
may not
be
Set
accurate
on counter
logs of less
than 1
hour
Increasing
trend of
more than
100 MB
per hour -
may not \\ZACH-

14,532,608 14,532,608 14,532,608 179,896,320
be PC\Process(mmc)\Working Set
accurate
on counter
logs of less
than 1
hour
2007.08.14-
15:42:38 -
2007.08.14-
15:43:38
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(rundll32#1)\Working 13,455,360 13,455,360 13,455,360 311,869,440
be
Set
accurate
on counter
logs of less
than 1
hour
2007.08.14- Condition Counter Min Avg Max Hourly Trend

15:43:38 -
2007.08.14-
15:44:38
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(AppSvc32)\Working 34,508,800 34,508,800 34,508,800 1,942,241,280
be
Set
accurate
on counter
logs of less
than 1
hour
Increasing
trend of
more than
100 MB
per hour -
\\ZACH-
may not
PC\Process(rundll32#1)\Working 15,470,592 15,470,592 15,470,592 328,826,880
be
Set
accurate
on counter
logs of less
than 1
hour
2007.08.14-
15:44:38 -
2007.08.14-
15:45:38
Increasing \\ZACH- 3,403,776 3,403,776 3,403,776 115,752,960
trend of PC\Process(ccApp)\Working Set
more than
100 MB
per hour -
may not
be
accurate
on counter
logs of less
than 1
hour
Back to the top
Process % Processor Time

Description: This analysis checks all of the processes to determine if any of the processes are consuming a large
amount of CPU.
If a user-mode processor bottleneck is suspected, then consider using a process profiler to analyze the functions
causing the high CPU consumption. See How To: Identify Functions causing a High User-mode CPU Bottleneck for
Server Applications in a Production Environment article in the references section for more information.
Role Specific
- \Process(MSExchangeMailboxAssistants*)\% Processor Time should be less than 5% of overll CPU
- \Process(msftefd*)\% Processor Time should be less than 10% of what the store process is consuming. Note: If
indexing is running and overall CPU is greater than 80%, then msfte should backoff it's CPU usage if that threshold
is hit.
References:
Measuring .NET Application Performance
http://msdn2.microsoft.com/en-us/library/ms998579.aspx
How To: Identify Functions causing a High User-mode CPU Bottleneck for Server Applications in a Production
Environment http://www.codeplex.com/PerfTesting/Wiki/View.aspx?title=How%20To%3a%20Identify%20a
%20Disk%20Performance%20Bottleneck%20Using%20SPA&referringTitle=How%20Tos
10% of 20% of 30% of
\Process(*)\% Hourly Std
Processor Time Trend Deviation
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/SearchIndexer
OK ZACH-PC/PowerStarter 0 0 0 0 0 0 0 0
OK ZACH-PC/System 0 2 3 -40 1 1 1 1
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 0 1 1 -20 0 1 1 1
OK ZACH-PC/csrss 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsass 0 0 0 -20 0 0 0 0
OK ZACH-PC/ccApp 0 0 0 -20 0 0 0 0
OK ZACH-PC/taskeng#1 0 0 0 0 0 0 0 0
OK ZACH-PC/taskeng 4 5 6 -20 1 5 5 5
OK ZACH-PC/taskmgr 3 4 6 -40 1 4 4 4
OK ZACH-PC/Apoint 0 0 0 -20 0 0 0 0
OK ZACH-PC/audiodg 0 1 1 -40 1 1 1 1
OK ZACH-PC/svchost 0 1 2 -40 1 1 1 1
OK ZACH-PC/sidebar 0 0 0 -20 0 0 0 0
OK ZACH-PC/AppSvc32 0 1 3 -80 2 0 0 3
OK ZACH-PC/rundll32#1 3 7 13 -100 5 4 4 4
OK ZACH-PC/rundll32 0 0 0 -20 0 0 0 0
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/AluSchedulerSvc
OK ZACH-PC/PowerDVD 0 0 0 0 0 0 0 0
ZACH-
OK 0 0 0 0 0 0 0 0
PC/SearchFilterHost
OK ZACH-PC/Solitaire 0 0 0 0 0 0 0 0
OK ZACH-PC/ApMsgFwd 0 0 1 -20 0 0 0 0
ZACH-
OK 0 0 0 -20 0 0 0 0
OK ZACH-PC/dwm 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
OK ZACH-PC/mmc 2 7 36 0 10 3 3 3
Alerts
No Alerts Found
Back to the top
Process Virtual Bytes

Description: This analysis determines if any of the processes are consuming too much of their respective virtual
address space. 32-bit processes, by default, can only access up to 2 GB of virtual address space. If the process is
close to this maximum, then it commonly results in an out of memory error. If a process is close to it's respective
maximum, then consider migrating the application to 64-bit which has 8 TB or more virtual address space. It is
important that processes have plenty of virtual address space.
Note: This analysis assumes that all processes are 32-bit on 32-bit Windows and Windows Server and assumes
that all processes are 64-bit on 64-bit Windows and Windows Server.
10% of 20% of 30% of
\Process(*)\Virtual Std
Bytes Deviation
ZACH-
OK 106,590,208 107,233,280 107,638,784 14,663,680 264,926 107,192,730 107,163,648 107,143,680
PC/SearchIndexer
OK ZACH-PC/SLsvc 42,328,064 42,328,064 42,328,064 0 0 42,328,064 42,328,064 42,328,064
OK ZACH-PC/PowerStarter 146,935,808 146,935,808 146,935,808 - 0 146,935,808 146,935,808 146,935,808

2,938,716,180
OK ZACH-PC/System 13,701,120 13,701,120 13,701,120 0 0 13,701,120 13,701,120 13,701,120
OK ZACH-PC/ApntEx 40,755,200 40,755,572 40,759,296 0 1,235 40,755,200 40,755,200 40,755,200
OK ZACH-PC/smss 4,538,368 4,538,368 4,538,368 0 0 4,538,368 4,538,368 4,538,368
OK ZACH-PC/csrss#1 105,836,544 110,135,482 147,820,544 -824,524,800 12,502,818 106,366,976 106,341,717 106,310,144
OK ZACH-PC/csrss 82,202,624 82,256,244 82,333,696 -1,310,720 49,202 82,248,499 82,239,033 82,235,392
OK ZACH-PC/lsass 38,617,088 38,640,919 38,879,232 0 79,039 38,617,088 38,617,088 38,617,088
OK ZACH-PC/ccApp 90,042,368 90,113,862 90,304,512 5,242,880 122,447 90,094,797 90,071,495 90,042,368
OK ZACH-PC/spoolsv 70,729,728 70,777,391 71,254,016 0 158,079 70,729,728 70,729,728 70,729,728
OK ZACH-PC/taskeng#1 37,797,888 37,940,876 38,322,176 -10,485,760 215,010 37,902,746 37,856,142 37,830,656
OK ZACH-PC/taskmgr 46,157,824 46,625,513 46,960,640 16,056,320 209,736 46,592,000 46,580,167 46,565,376
OK ZACH-PC/Apoint 46,653,440 46,653,440 46,653,440 0 0 46,653,440 46,653,440 46,653,440
OK ZACH-PC/wininit 25,350,144 25,350,144 25,350,144 0 0 25,350,144 25,350,144 25,350,144
OK ZACH-PC/audiodg 40,235,008 40,647,587 41,545,728 20,971,520 368,171 40,557,773 40,497,152 40,464,384
OK ZACH-PC/svchost 30,859,264 31,002,252 31,121,408 0 136,900 30,990,336 30,975,772 30,957,568
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/sidebar 58,621,952 58,621,952 58,621,952 0 0 58,621,952 58,621,952 58,621,952
OK ZACH-PC/XAudio 22,904,832 22,904,832 22,904,832 0 0 22,904,832 22,904,832 22,904,832
OK ZACH-PC/AppSvc32 96,038,912 97,419,264 111,222,784 0 4,578,110 96,038,912 96,038,912 96,038,912
OK ZACH-PC/rundll32#1 71,811,072 81,627,136 97,787,904 - 11,225,742 76,240,213 76,240,213 76,240,213

1,436,221,460
OK ZACH-PC/rundll32 60,882,944 61,121,257 61,145,088 5,242,880 79,039 61,118,874 61,115,961 61,112,320
OK ZACH-PC/MSASCui 71,770,112 71,770,112 71,770,112 0 0 71,770,112 71,770,112 71,770,112
ZACH-
OK 42,012,672 42,012,672 42,012,672 0 0 42,012,672 42,012,672 42,012,672
PC/AluSchedulerSvc
-
OK ZACH-PC/PowerDVD 98,390,016 98,390,016 98,390,016 0 98,390,016 98,390,016 98,390,016
1,967,800,340
OK ZACH-PC/explorer 185,966,592 191,387,089 210,993,152 -19,578,880 6,687,799 189,426,483 189,162,837 188,834,304
ZACH- -
OK 52,260,864 52,260,864 52,260,864 0 52,260,864 52,260,864 52,260,864
PC/SearchFilterHost 1,045,217,300
-
4,489,707,540
OK ZACH-PC/ApMsgFwd 26,898,432 26,898,432 26,898,432 0 0 26,898,432 26,898,432 26,898,432
OK ZACH-PC/WmiPrvSE 34,062,336 36,291,379 41,140,224 -691,732,500 2,954,486 35,079,168 35,079,168 35,079,168
OK ZACH-PC/symlcsvc 33,136,640 33,136,640 33,136,640 0 0 33,136,640 33,136,640 33,136,640
OK ZACH-PC/RichVideo 41,926,656 41,926,656 41,926,656 0 0 41,926,656 41,926,656 41,926,656
ZACH- -
OK 59,392,000 59,392,000 59,392,000 0 59,392,000 59,392,000 59,392,000
PC/SearchProtocolHost 1,187,840,020
OK ZACH-PC/wmpnscfg 31,432,704 31,432,704 31,432,704 0 0 31,432,704 31,432,704 31,432,704
OK ZACH-PC/services 25,575,424 25,885,231 26,099,712 0 158,079 25,863,782 25,837,568 25,804,800
OK ZACH-PC/wmpnetwk 115,716,096 115,716,096 115,716,096 0 0 115,716,096 115,716,096 115,716,096
OK ZACH-PC/ccSvcHst 120,348,672 120,515,491 120,610,816 5,242,880 132,258 120,505,958 120,494,308 120,479,744
OK ZACH-PC/winlogon 32,710,656 32,710,656 32,710,656 0 0 32,710,656 32,710,656 32,710,656
OK ZACH-PC/dwm 32,251,904 32,323,398 32,514,048 0 122,447 32,304,333 32,281,031 32,251,904
OK ZACH-PC/lsm 14,434,304 14,529,629 14,696,448 5,242,880 132,258 14,512,947 14,492,558 14,467,072
OK ZACH-PC/cmd 15,806,464 15,806,464 15,806,464 -316,129,300 0 15,806,464 15,806,464 15,806,464
OK ZACH-PC/mmc 87,715,840 89,388,497 89,755,648 34,242,560 570,478 89,351,782 89,311,915 89,264,640
Alerts
No Alerts Found
Back to the top

Process IO Data Operations/sec
Description: The rate at which the process is issuing read and write IO data operations. This counter counts all IO
activity generated by the process to include file, network and device IO. These IO operations are often, but not
always related to disk and/or network IO.

10% of 20% of 30% of
\Process(*)\IO Data Hourly Std
Operations/sec Trend Deviation
ZACH-
OK 1 1 1 -40 0 1 1 1
PC/SearchIndexer
OK ZACH-PC/System 1 2 3 0 0 2 2 2
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 33 52 74 260 12 50 48 47
OK ZACH-PC/csrss 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsass 6 11 25 20 5 9 9 8
OK ZACH-PC/ccApp 0 0 0 0 0 0 0 0
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
More than ZACH-PC/AppSvc32 937 937 937 -18,760 0 937 937 937
100 data IO
operations
(network,
disk, or
device IO)
per second
OK ZACH-PC/rundll32#1 0 0 0 -20 0 0 0 0
OK ZACH-PC/rundll32 0 0 0 0 0 0 0 0
ZACH-
OK 1 1 1 -40 0 1 1 1
PC/AluSchedulerSvc
ZACH-
OK 0 0 0 0 0 0 0 0
PC/SearchFilterHost
ZACH-
OK 0 0 0 -20 0 0 0 0
OK ZACH-PC/dwm 0 0 0 0 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
OK ZACH-PC/mmc 1 1 1 0 0 1 1 1
Alerts
Time Range
2007.08.14-
15:40:38 - Hourly
2007.08.14- Trend
15:41:38
More than 100 data IO \\ZACH-
operations (network, disk, PC\Process(AppSvc32)\IO Data 937 937 937 0
or device IO) per second Operations/sec
Back to the top
Process IO Other Operations/sec

Description: The rate at which the process is issuing IO other operations that are neither read nor write
operations (for example, a control function). This counter counts all IO activity generated by the process to include
file, network and device IO.
10% of 20% of 30% of
\Process(*)\IO Other Hourly Std
OK ZACH-PC/SearchIndexer 0 2 8 -40 3 1 0 0
OK ZACH-PC/ApntEx 22 118 193 1,800 51 110 103 96
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 0 4 8 -80 3 3 3 3
OK ZACH-PC/csrss 1 1 3 -40 1 1 1 1
OK ZACH-PC/lsass 5 10 22 0 5 8 8 7
OK ZACH-PC/taskmgr 137 155 161 -120 7 154 154 153
OK ZACH-PC/audiodg 0 33 68 -1,240 36 21 21 21
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/AppSvc32 0 4 9 -200 6 0 0 9
OK ZACH-PC/rundll32#1 3 26 59 -300 30 9 9 9
ZACH-
OK 0 4 7 -160 4 2 2 2
PC/AluSchedulerSvc
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/SearchFilterHost
ZACH-
OK 1 1 1 -40 0 1 1 1
OK ZACH-PC/dwm 0 0 0 0 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
OK ZACH-PC/mmc 17 21 23 0 2 21 21 21
Alerts
No Alerts Found
Back to the top
Process ID Process
Description: ID Process is the unique identifier of this process. ID Process numbers are reused, so they only
identify a process for the lifetime of that process.

10% of 20% of 30% of
\Process(*)\ID Hourly Std
Process Trend Deviation
No ZACH-
2,180 2,180 2,180 0 0 2,180 2,180 2,180
Thresholds PC/SearchIndexer
No
ZACH-PC/SLsvc 1,032 1,032 1,032 0 0 1,032 1,032 1,032
Thresholds
No
ZACH-PC/PowerStarter 3,472 3,472 3,472 -69,460 0 3,472 3,472 3,472
Thresholds
No
ZACH-PC/System 4 4 4 0 0 4 4 4
Thresholds
No
ZACH-PC/ApntEx 3,748 3,748 3,748 0 0 3,748 3,748 3,748
Thresholds
No
ZACH-PC/smss 304 304 304 0 0 304 304 304
Thresholds
No
ZACH-PC/csrss#1 416 416 416 0 0 416 416 416
Thresholds
No
ZACH-PC/csrss 368 368 368 0 0 368 368 368
Thresholds
No
ZACH-PC/lsass 512 512 512 0 0 512 512 512
Thresholds
No
ZACH-PC/ccApp 2,776 2,776 2,776 0 0 2,776 2,776 2,776
Thresholds
No
ZACH-PC/spoolsv 1,560 1,560 1,560 0 0 1,560 1,560 1,560
Thresholds
No
ZACH-PC/taskeng#1 2,520 2,520 2,520 0 0 2,520 2,520 2,520
Thresholds
No
ZACH-PC/taskeng 1,832 1,832 1,832 0 0 1,832 1,832 1,832
Thresholds
No
ZACH-PC/taskmgr 3,764 3,764 3,764 0 0 3,764 3,764 3,764
Thresholds
No
ZACH-PC/Apoint 2,768 2,768 2,768 0 0 2,768 2,768 2,768
Thresholds
No
ZACH-PC/wininit 408 408 408 0 0 408 408 408
Thresholds
No
ZACH-PC/audiodg 1,004 1,004 1,004 0 0 1,004 1,004 1,004
Thresholds
No
ZACH-PC/svchost#12 2,124 2,124 2,124 0 0 2,124 2,124 2,124
Thresholds
No
ZACH-PC/svchost#11 2,088 2,088 2,088 0 0 2,088 2,088 2,088
Thresholds
No
ZACH-PC/svchost#10 1,816 1,816 1,816 0 0 1,816 1,816 1,816
Thresholds
No
ZACH-PC/svchost#9 1,788 1,788 1,788 0 0 1,788 1,788 1,788
Thresholds
No
ZACH-PC/svchost#8 1,584 1,584 1,584 0 0 1,584 1,584 1,584
Thresholds
No
ZACH-PC/svchost#7 1,224 1,224 1,224 0 0 1,224 1,224 1,224
Thresholds
No
ZACH-PC/svchost#6 1,092 1,092 1,092 0 0 1,092 1,092 1,092
Thresholds
No
ZACH-PC/svchost#5 928 928 928 0 0 928 928 928
Thresholds
No
ZACH-PC/svchost#4 916 916 916 0 0 916 916 916
Thresholds
No
ZACH-PC/svchost#3 892 892 892 0 0 892 892 892
Thresholds
No
ZACH-PC/svchost#2 760 760 760 0 0 760 760 760
Thresholds
No
ZACH-PC/svchost#1 732 732 732 0 0 732 732 732
Thresholds
No
ZACH-PC/svchost 672 672 672 0 0 672 672 672
Thresholds
No
ZACH-PC/Idle 0 0 0 0 0 0 0 0
Thresholds
No
ZACH-PC/sidebar 2,800 2,800 2,800 0 0 2,800 2,800 2,800
Thresholds
No
ZACH-PC/XAudio 2,332 2,332 2,332 0 0 2,332 2,332 2,332
Thresholds
No
ZACH-PC/AppSvc32 1,444 1,444 1,444 0 0 1,444 1,444 1,444
Thresholds
No
ZACH-PC/rundll32#1 580 1,265 3,320 -66,420 1,370 580 580 580
Thresholds
No
ZACH-PC/rundll32 2,624 2,624 2,624 0 0 2,624 2,624 2,624
Thresholds
No
ZACH-PC/MSASCui 2,756 2,756 2,756 0 0 2,756 2,756 2,756
Thresholds
No ZACH-
1,868 1,868 1,868 0 0 1,868 1,868 1,868
Thresholds PC/AluSchedulerSvc
No
ZACH-PC/PowerDVD 3,264 3,264 3,264 -65,300 0 3,264 3,264 3,264
Thresholds
No
ZACH-PC/explorer 1,948 1,948 1,948 0 0 1,948 1,948 1,948
Thresholds
No ZACH-
1,040 1,040 1,040 -20,820 0 1,040 1,040 1,040
Thresholds PC/SearchFilterHost
No
ZACH-PC/Solitaire 3,984 3,984 3,984 -79,700 0 3,984 3,984 3,984
Thresholds
No
ZACH-PC/ApMsgFwd 3,200 3,200 3,200 0 0 3,200 3,200 3,200
Thresholds
No
ZACH-PC/WmiPrvSE 3,880 3,880 3,880 -77,620 0 3,880 3,880 3,880
Thresholds
No
ZACH-PC/symlcsvc 3,948 3,948 3,948 0 0 3,948 3,948 3,948
Thresholds
No
ZACH-PC/RichVideo 1,616 1,616 1,616 0 0 1,616 1,616 1,616
Thresholds
No ZACH-
2,852 2,852 2,852 -57,060 0 2,852 2,852 2,852
Thresholds PC/SearchProtocolHost
No
ZACH-PC/wmpnscfg 2,808 2,808 2,808 0 0 2,808 2,808 2,808
Thresholds
No
ZACH-PC/services 484 484 484 0 0 484 484 484
Thresholds
No
ZACH-PC/wmpnetwk 3,240 3,240 3,240 0 0 3,240 3,240 3,240
Thresholds
No
ZACH-PC/ccSvcHst 1,364 1,364 1,364 0 0 1,364 1,364 1,364
Thresholds
No
ZACH-PC/winlogon 464 464 464 0 0 464 464 464
Thresholds
No
ZACH-PC/dwm 1,892 1,892 1,892 0 0 1,892 1,892 1,892
Thresholds
No
ZACH-PC/lsm 520 520 520 0 0 520 520 520
Thresholds
No
ZACH-PC/cmd 1,348 1,348 1,348 -26,980 0 1,348 1,348 1,348
Thresholds
No
ZACH-PC/mmc 3,852 3,852 3,852 0 0 3,852 3,852 3,852
Thresholds
Alerts
No Alerts Found
Back to the top
Process IO Read Operations/sec

Description: The rate at which the process is issuing read I/O operations. This counter counts all I/O activity
generated by the process to include file, network and device IO.

10% of 20% of 30% of
\Process(*)\IO Read Hourly Std
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 33 52 74 260 12 50 48 47
OK ZACH-PC/csrss 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsass 3 5 13 20 3 5 4 4
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/AppSvc32 937 937 937 -18,760 0 937 937 937
OK ZACH-PC/rundll32#1 0 0 0 -20 0 0 0 0
ZACH-
OK 1 1 1 -40 0 1 1 1
PC/AluSchedulerSvc
ZACH-
OK 0 0 0 0 0 0 0 0
PC/SearchFilterHost
ZACH-
OK 0 0 0 -20 0 0 0 0
OK ZACH-PC/dwm 0 0 0 0 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
OK ZACH-PC/mmc 1 1 1 0 0 1 1 1
Alerts
No Alerts Found
Back to the top
Process IO Write Operations/sec

Description: The rate at which the process is issuing write IO operations. This counter counts all IO activity
generated by the process to include file, network and device IO.

10% of 20% of 30% of
\Process(*)\IO Write Hourly Std
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss 0 0 0 0 0 0 0 0
OK ZACH-PC/lsass 3 5 12 20 3 4 4 4
OK ZACH-PC/ccApp 0 0 0 -20 0 0 0 0
OK ZACH-PC/taskeng 0 0 0 0 0 0 0 0
OK ZACH-PC/Idle 0 0 0 0 0 0 0 0
OK ZACH-PC/AppSvc32 0 0 0 -20 0 0 0 0
OK ZACH-PC/rundll32#1 0 0 0 -20 0 0 0 0
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/AluSchedulerSvc
ZACH-
OK 0 0 0 0 0 0 0 0
PC/SearchFilterHost
ZACH-
OK 0 0 0 -20 0 0 0 0
OK ZACH-PC/dwm 0 0 0 0 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
OK ZACH-PC/mmc 0 0 0 -20 0 0 0 0
Alerts
No Alerts Found
Back to the top
Process % Privileged Time

Description: % Privileged Time is the percentage of elapsed time that the process threads spent executing code in
privileged mode. When a Windows system service is called, the service will often run in privileged mode to gain
access to system-private data. Such data is protected from access by threads executing in user mode. Calls to the
system can be explicit or implicit, such as page faults or interrupts. Unlike some early operating systems, Windows
uses process boundaries for subsystem protection in addition to the traditional protection of user and privileged
modes. Some work done by Windows on behalf of the application might appear in other subsystem processes in
addition to the privileged time in the process.

10% of 20% of 30% of
\Process(*)\% Hourly Std
Privileged Time Trend Deviation
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/SearchIndexer
OK ZACH-PC/System 0 2 3 -40 1 1 1 1
OK ZACH-PC/smss 0 0 0 0 0 0 0 0
OK ZACH-PC/csrss#1 0 1 1 -20 0 1 1 1
OK ZACH-PC/csrss 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsass 0 0 0 -20 0 0 0 0
OK ZACH-PC/ccApp 0 0 0 -20 0 0 0 0
OK ZACH-PC/AppSvc32 0 1 2 -60 1 0 0 2
OK ZACH-PC/rundll32#1 1 2 4 -60 1 1 1 1
OK ZACH-PC/rundll32 0 0 0 -20 0 0 0 0
ZACH-
OK 0 0 0 -20 0 0 0 0
PC/AluSchedulerSvc
ZACH-
OK 0 0 0 0 0 0 0 0
PC/SearchFilterHost
OK ZACH-PC/ApMsgFwd 0 0 1 -20 0 0 0 0
ZACH-
OK 0 0 0 0 0 0 0 0
OK ZACH-PC/wmpnetwk 0 0 0 -20 0 0 0 0
OK ZACH-PC/dwm 0 0 0 -20 0 0 0 0
OK ZACH-PC/lsm 0 0 0 0 0 0 0 0
OK ZACH-PC/cmd 0 0 0 0 0 0 0 0
More than
10% of
overall ZACH-PC/mmc 1 5 34 0 10 1 1 1
kernel mode
time
Alerts
Time Range
2007.08.14-15:40:38 - Hourly
2007.08.14-15:41:38 Trend
More than 20% of \\ZACH-PC\Processor(_Total)\% 82 82 82 0
overall kernel mode Processor Time

time
More than 20% of

overall kernel mode 82 82 82 0
Processor Time
time
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
More than 20% of

Processor Time
time
More than 20% of

Processor Time
time
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
More than 10% of

\\ZACH-PC\Process(mmc)\%
overall kernel mode 34 34 34 1,440
Privileged Time
time
Back to the top
Processor
Processor % Processor Time

Description: % Processor Time is the percentage of elapsed time that the processor spends to execute a non-
Idle thread. It is calculated by measuring the duration of the idle thread is active in the sample interval, and
subtracting that time from interval duration. This counter is the primary indicator of processor activity, and displays
the average percentage of busy time observed during the sample interval. % Processor Time is the sum of %
User Time and % Privileged Time unless there is hardware involvement in the form of interupts and/or DPCs.
This analysis creates a Warning alert for utilization greater than 50% on any processor and creates a critical alert
for utilization greater than 80%.
If average processor utilization is high based on the thresholds witin this analysis, then check if it is high user
mode CPU or high privileged mode. If high privileged mode CPU is suspected, then see the Privileged Mode CPU
Analysis. If a user-mode processor bottleneck is suspected, then consider using a process profiler to analyze the
functions causing the high CPU consumption. See How To: Identify Functions causing a High User-mode CPU
Bottleneck for Server Applications in a Production Environment article in the references section for more
information.
References:
How To: Identify Functions causing a High User-mode CPU Bottleneck for Server Applications in a
Production Environment
10% of 20% of 30% of
\Processor(*)\% Hourly Std
Processor Time Trend Deviation
More than
80%
ZACH-PC/_Total 20 47 87 -1,140 24 43 38 35
processor
utilization
More than
80%
ZACH-PC/0 20 47 87 -1,140 24 43 38 35
processor
utilization
Alerts
Time Range
2007.08.14-15:40:38 - Hourly
2007.08.14-15:41:38 Trend
More than 80% \\ZACH-PC\Processor(_Total)\%

82 82 82 0
processor utilization Processor Time
More than 80% \\ZACH-PC\Processor(0)\%

82 82 82 0
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend

87 87 87 900

87 87 87 900
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend

57 57 57 -1,500

57 57 57 -1,500
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend

60 60 60 -990

60 60 60 -990
Back to the top
Processor % Privileged Time

Description: This counter indicates the percentage of time a thread runs in privileged mode also known as kernel
mode. When your application calls operating system functions (for example to perform file or network I/O or to
allocate memory), these operating system functions are executed in privileged mode.
High privileged mode CPU indicates that computer is spending too much time in system I/O versus real (user
mode) work. % Privileged Time is the percentage of elapsed time that the process threads spent executing code in
privileged mode. When a Windows system service in called, the service will often run in privileged mode to gain
access to system-private data. Such data is protected from access by threads executing in user mode. Calls to the
system can be explicit or implicit, such as page faults or interrupts. Unlike some early operating systems, Windows
uses process boundaries for subsystem protection in addition to the traditional protection of user and privileged
modes. Some work done by Windows on behalf of the application might appear in other subsystem processes in
addition to the privileged time in the process.
This analysis throws a warning alert if privileged mode CPU is consuming more than 20% of total CPU and a critical
alert if consuming More than 30% of total CPU.
Next steps
The CPU consumption might be caused by another busy resource such as network, memory, or disk I/O. High
privileged mode CPU can also by caused by high amounts of Context Switches/second. See the High Context
Switches/second analysis. The KernRate (KrView) tool can be used to profile the kernel to see what component is
consuming the most kernel resources. To see more information about how KernRate can be used to analyze high
priviledge mode CPU problems, see Mark Russinovich's blog entry in the references section below.
References:
Mark's Blog : The Case of the System Process CPU Spikes

10% of 20% of 30% of
Privileged Time Trend Deviation
More than
30%
privileged ZACH-PC/_Total 15 30 53 -520 14 28 26 23
(kernel) mode
CPU usage
More than
30%
privileged ZACH-PC/0 15 30 53 -520 14 28 26 23
(kernel) mode
CPU usage
Alerts
Time Range
2007.08.14-15:40:38 - Hourly
2007.08.14-15:41:38 Trend
More than 30%

privileged (kernel) mode 44 44 44 0
Privileged Time
CPU usage
More than 30%

Privileged Time
CPU usage
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
More than 30%

Privileged Time
CPU usage
More than 30%

Privileged Time
CPU usage
2007.08.14-15:42:38 - Hourly
2007.08.14-15:43:38 Trend
More than 20%

privileged (kernel) mode 30 30 30 -1,260
Privileged Time
CPU usage
More than 20%

privileged (kernel) mode 30 30 30 -1,260
Privileged Time
CPU usage
2007.08.14-15:43:38 - Hourly
2007.08.14-15:44:38 Trend
More than 30% \\ZACH-PC\Processor(_Total)\% 34 34 34 -600

privileged (kernel) mode
Privileged Time
CPU usage
More than 30%

privileged (kernel) mode 34 34 34 -600
Privileged Time
CPU usage
2007.08.14-15:44:38 - Hourly
2007.08.14-15:45:38 Trend
More than 30%

Privileged Time
CPU usage
More than 30%

Privileged Time
CPU usage
2007.08.14-15:45:38 - Hourly
2007.08.14-15:46:38 Trend
More than 20%

Privileged Time
CPU usage
More than 20%

Privileged Time
CPU usage
Back to the top
Processor % Interrupt Time

Description: % Interrupt Time is the time the processor spends receiving and servicing hardware interrupts
during sample intervals. This value is an indirect indicator of the activity of devices that generate interrupts, such
as the system clock, the mouse, disk drivers, data communication lines, network interface cards and other
peripheral devices. These devices normally interrupt the processor when they have completed a task or require
attention. Normal thread execution is suspended during interrupts. Most system clocks interrupt the processor
every 10 milliseconds, creating a background of interrupt activity. A dramatic increase in this counter indicates
potential hardware problems.
This analysis checks for % Interrupt Time greater than 30%. If this occurs, then consider updating devices drivers
for hardware that correlates to this alert.
References:
http://msdn2.microsoft.com/en-us/library/ms998579.aspx
10% of 20% of 30% of
Interrupt Time Trend Deviation
OK ZACH-PC/_Total 0 0 1 -20 0 0 0 0
OK ZACH-PC/0 0 0 1 -20 0 0 0 0
Alerts
No Alerts Found
Back to the top
Processor % DPC Time

Description: % DPC Time is the percentage of time that the processor spent receiving and servicing deferred
procedure calls (DPCs) during the sample interval. DPCs are interrupts that run at a lower priority than standard
interrupts. % DPC Time is a component of % Privileged Time because DPCs are executed in privileged mode. They
are counted separately and are not a component of the interrupt counters. This counter displays the average busy
time as a percentage of the sample time.

10% of 20% of 30% of
DPC Time Trend Deviation
OK ZACH-PC/_Total 0 0 1 0 0 0 0 0
OK ZACH-PC/0 0 0 1 0 0 0 0 0
Alerts
No Alerts Found
Back to the top
Processor % User Time

Description: % User Time is the percentage of elapsed time the processor spends in the user mode. User mode
is a restricted processing mode designed for applications, environment subsystems, and integral subsystems. The
alternative, privileged mode, is designed for operating system components and allows direct access to hardware
and all memory. The operating system switches application threads to privileged mode to access operating system
services. This counter displays the average busy time as a percentage of the sample time.
This analysis provides statistics only. Threads running on a processor will be in either user mode measured using
% User Time or in priviledge/kernel mode measured using % Privileged Time. High % User Time indicates a
high amount of application code is being executed. This is desirable versus too much time in privileged mode. See
the Processor % Privileged Time analysis for more information.

10% of 20% of 30% of
User Time Trend Deviation
No
ZACH-PC/_Total 5 17 41 -620 13 14 11 10
Thresholds
No
ZACH-PC/0 5 17 41 -620 13 14 11 10
Thresholds
Alerts
No Alerts Found
Back to the top
Processor DPC Rate

Description: DPC Rate is the rate at which deferred procedure calls (DPCs) were added to the processors DPC
queues between the timer ticks of the processor clock. DPCs are interrupts that run at alower priority than
standard interrupts. Each processor has its own DPC queue. This counter measures the rate that DPCs were added
to the queue, not the number of DPCs in the queue. This counter displays the last observed value only; it is not an
average.
10% of 20% of 30% of
\Processor(*)\DPC Hourly Std
Rate Trend Deviation
No
ZACH-PC/_Total 1 4 13 -140 4 3 3 2
Thresholds
No
ZACH-PC/0 1 4 13 -140 4 3 3 2
Thresholds
Alerts
No Alerts Found
Back to the top
System
System Processor Queue Length

Description: Processor Queue Length is the number of threads in the processor queue. Unlike the disk counters,
this counter shows ready threads only, not threads that are running. There is a single queue for processor time
even on computers with multiple processors. Therefore, if a computer has multiple processors, you need to divide
this value by the number of processors servicing the workload. A sustained processor queue of less than 10
threads per processor is normally acceptable, dependent of the workload.
This analysis determines if the average processor queue length exceeds the number of processors. If so, then this
could indicate a processor bottleneck. Use this analysis in correlation with Privileged Mode CPU Analysis and
Excessive Processor Use by Process analysis.
Note: Due to the way in which this counter is collected, ignore this counter and alerts for it when collected from a
virtual computer.
If there are more tasks ready to run than there are processors, threads queue up. The processor queue is the
collection of threads that are ready but not able to be executed by the processor because another active thread is
currently executing. A sustained or recurring queue of more threads than number of processors is a good indication
of a processor bottleneck.
You can use this counter in conjunction with the \Processor\% Processor Time counter to determine if your
application can benefit from more CPUs.
Reference:

10% of 20% of 30% of
\System\Processor Hourly Std
Queue Length Trend Deviation
More than 2 ZACH-PC 1 2 10 -100 3 2 1 1
ready
threads are
queued for
each
processor
Alerts
Time Range
2007.08.14-15:41:38 - Hourly
2007.08.14-15:42:38 Trend
More than 2 ready threads

\\ZACH-PC\System\Processor
are queued for each 10 10 10 1,080
Queue Length
processor
Back to the top
System System Calls/sec

Description: System Calls/sec is the combined rate of calls to operating system service routines by all processes
running on the computer. These routines perform all of the basic scheduling and synchronization of activities on the
computer, and provide access to non-graphic devices, memory management, and name space management. This
counter displays the difference between the values observed in the last two samples, divided by the duration of the
sample interval.
10% of 20% of 30% of
\System\System Hourly Std
Calls/sec Trend Deviation
No -
ZACH-PC 14,743 19,842 32,158 4,879 18,474 17,803 17,558
Thresholds 120,880
Alerts
No Alerts Found
Back to the top
TCPv4
TCPv4 Connection Failures

Description: Connection Failures is the number of times TCP connections have made a direct transition to the
CLOSED state from the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have
made a direct transition to the LISTEN state from the SYN-RCVD state.
10% of 20% of 30% of
\TCPv4\Connection Hourly Std
Failures Trend Deviation
OK ZACH-PC 0 0 0 0 0 0 0 0
Alerts
No Alerts Found
Back to the top
Back to the top
Disclaimer: This report was generated using the Performance Analysis of Logs (PAL) tool. The information
provided in this report is provided "as-is" and is intended for information purposes only. The software is
licensed "as-is". You bear the risk of using it. The contributors give no express warranties, guarantees or
conditions. You may have additional consumer rights under your local laws which this license cannot change. To
the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability,
fitness for a particular purpose and non-infringement.

Sampleperfmonlog Pal Analysis 20170906161132

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Sampleperfmonlog Pal Analysis 20170906161132

Загружено:

Авторское право:

Доступные форматы

Analysis of "SamplePerfmonLog.

Alerts by Chronological Order

o 2007.08.14-15:40:38 - 2007.08.14-15:41:38 (Alerts: 7|3)

o 2007.08.14-15:41:38 - 2007.08.14-15:42:38 (Alerts: 7|28)

o 2007.08.14-15:42:38 - 2007.08.14-15:43:38 (Alerts: 1|12)

o 2007.08.14-15:43:38 - 2007.08.14-15:44:38 (Alerts: 6|29)

o 2007.08.14-15:44:38 - 2007.08.14-15:45:38 (Alerts: 6|23)

o 2007.08.14-15:45:38 - 2007.08.14-15:46:38 (Alerts: 1|13)

o 2007.08.14-15:46:38 - 2007.08.14-15:47:38 (Alerts: 1|9)

o 2007.08.14-15:47:38 - 2007.08.14-15:48:38 (Alerts: 1|6)

o 2007.08.14-15:48:38 - 2007.08.14-15:49:38 (Alerts: 4|5)

o 2007.08.14-15:49:38 - 2007.08.14-15:49:58 (Alerts: 1|9)

o LogicalDisk Disk Overwhelmed (Alerts: 1|1)

o LogicalDisk % Free Space (Alerts: 0|0)

o LogicalDisk Avg. Disk sec/Read (Alerts: 3|1)

o LogicalDisk Avg. Disk sec/Write (Alerts: 0|2)

o LogicalDisk Disk Transfers/sec (Stats only)

o LogicalDisk Read/Write Ratio (Stats only)

o LogicalDisk Bytes/Read (Alerts: 0|0)

o LogicalDisk Bytes/Write (Alerts: 0|3)

o LogicalDisk Avg. Disk Queue Length (Alerts: 0|1)

o LogicalDisk Current Disk Queue Length (Alerts: 0|0)

o LogicalDisk Disk Bytes/sec (Stats only)

o LogicalDisk Free Megabytes (Alerts: 0|0)

o LogicalDisk Avg. Disk sec/Transfer (Alerts: 2|1)

o Memory Available MBytes (Alerts: 10| 0)

o Memory Free System Page Table Entries (Alerts: 0|0)

o Memory Pool Non-Paged Bytes (Alerts: 0|0)

o Memory Pool Paged Bytes (Alerts: 0|0)

o Memory Pages/sec (Alerts: 0|0)

o Memory System Cache Resident Bytes (Alerts: 0|0)

o Memory % Committed Bytes In Use (Alerts: 0|0)

o Memory Pages Output/sec (Stats only)

o Memory Transition Pages RePurposed/sec (Stats only)

o Memory Committed Bytes (Stats only)

o Memory Commit Limit (Stats only)

o Memory Free & Zero Page List Bytes (Stats only)

o Memory Pool Paged Resident Bytes (Stats only)

o Network Interface % Network Utilization (Alerts: 0|0)

o Network Interface Output Queue Length (Alerts: 0|0)

o Network Interface % Network Utilization Sent (Alerts: 0|0)

o Network Interface % Network Utilization Received (Alerts: 0|0)

o Network Interface Packets Outbound Errors (Alerts: 0|0)

o Network Interface Bytes Total/sec (Stats only)

o Network Interface Current Bandwidth (Alerts: 0|10)

o Network Interface Packets/sec (Stats only)

o Network Interface Packets Sent/sec (Stats only)

o Network Interface Packets Received/sec (Stats only)

o PhysicalDisk Read Latency Analysis (Alerts: 3|1)

o PhysicalDisk Write Latency Analysis (Alerts: 0|2)

o PhysicalDisk Current Disk Queue Length (Alerts: 0|0)

o PhysicalDisk Avg. Disk Queue Length (Alerts: 0|1)

o PhysicalDisk Disk Bytes/sec (Stats only)

o Process Private Bytes (Alerts: 0|5)

o Process Thread Count (Alerts: 0|14)

o Process Working Set (Alerts: 0|6)

o Process % Processor Time (Alerts: 0|0)

o Process Virtual Bytes (Alerts: 0|0)

o Process IO Data Operations/sec (Alerts: 0| 1)

o Process IO Other Operations/sec (Alerts: 0|0)

o Process ID Process (Stats only)

o Process IO Read Operations/sec (Alerts: 0|0)

o Process IO Write Operations/sec (Alerts: 0|0)

o Process % Privileged Time (Alerts: 4|1)