Cover V07, I09
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Table 1


Optimizing NT Performance

Gilbert Held

A Windows NT computer is similar to other computers with respect to users being able to change hardware and adjust software configurations to enhance computer performance. However, in today's networking environment, it is often difficult to determine whether you really need to add more RAM to your computer, whether your network interface card represents a bottleneck, or whether the size of your paging file is the culprit. Fortunately for Windows NT users, Microsoft includes a utility program, named Performance Monitor, which is available for both workstation and server users. Using Performance Monitor, you can monitor the performance of the computer that the program operates upon as well as other computers on your network. Thus, Performance Monitor assists both performance troubleshooting and capacity planning.

Although this article will primarily focus upon the use of Performance Monitor, it is not the only monitor built into Windows NT. Task Manager can be used as well, to provide statistics concerning memory and CPU usage. Regardless of the monitoring tool used, it is important to use one on a periodic basis. Doing so can provide information to help you note trends and initiate preventative measures to alleviate potential problems.


In this article, I'll examine the use of Performance Monitor provided with Windows NT Version 4.0. However, as a tester of Windows NT 5.0 Beta, it's worth noting that the first beta release of 5.0 uses NT 4.0 administrative tools to include the current production version of Performance Monitor in modified form. The only significant difference noted between the version of Performance Monitor included in Version 4.0 and the first beta of Version 5.0 concerns the support of objects, a term used by Microsoft to reference system resources. Although the first beta version supports more objects than its predecessor, certain objects that can be extremely useful, such as Logical Disk and Physical Disk, are absent.

Although the most common use of Performance Monitor is to obtain a graphical display of the behavior of different hardware and software elements, it also includes alerting and reporting capabilities. Through Performance Monitor's alert capability you can set thresholds that, when exceeded, will cause information about the event to be recorded. This feature provides the ability to note the occurrence of different predefined events and facilitates your decision process concerning potential changes to hardware and software.

Monitoring Performance

Figure 1 illustrates the initial Performance Monitor screen display after the plus (+) icon in the task bar was selected as a shortcut for adding information elements for monitoring. As previously noted, under Windows NT terminology, an object represents a system resource. Although such common system resources as cache, memory, processor, and network activity are represented as objects, NT also tracks lesser known resources that produce statistical information. Table 1 lists the objects presently capable of being tracked by different versions of Windows NT. Although it might appear awkward that an NT object is named Object, the latter signifies a set of counters that provide the ability to track processes, semaphores, and threads.

In fact, each NT object can be viewed as an overall category for performance measurements for which one or more counters exists, enabling you to track performance of a particular resource. For example, as indicated in Figure 1, there are multiple counters associated with the Processor object, with the counter % Processor Time highlighted. That counter provides an indication of how busy a processor is, and is one of the key metrics that enables you to determine whether performance problems are resulting from activity beyond the processing capability of your computer.

Since various computer resources can be duplicated, the term instance is used to identify objects with two or more components. Examples of objects that can have multiple instances include the processor, if your computer has multiple processors, the network interface when multiple NICs are installed, and the physical disk. Some object types, such as memory, do not have instances. If you have an object with multiple instances, each instance will produce the same set of statistics, since the object counters are applicable to each instance.

In Figure 1, note that you can select the color, scale, line width, and line style for charting a particular object counter. Thus, Performance Monitor provides the ability to customize your charting effort, which can be handy when you wish to visually observe a large number of object counters.

Although NT provides a rich set of counters for most objects, you may need to perform a rapid check of one or a few of these counters to isolate a problem. In certain situations, some counters will provide a better general indication of a problem than others. Four of those object counters you may wish to consider are listed below along with a description of the significance of each counter.

Memory:Available Bytes - Indicates the size of virtual memory currently available. As this decreases, NT begins to take away memory from active applications.

Paging File:% Usage - Indicates the amount of the paging file in use. As usage increases towards 100% you should increase the size of the paging file.

Process:% Processor Time - Indicates the percentage of elapsed time that a processor is busy. When the percentage is relatively high for long periods of time it may be time for a processor upgrade or the insertion of another onto your mother board.

Physical Disk:% Disk Time - Indicates the percentage of time that a drive is active. When the percentage is consistently high, it may be time to transfer some files to a different disk or server or upgrade the current drive.

In some instances, a bit of detective work may be required to determine the cause of certain performance problems. For example, the object "thread" has a counter labeled "thread wait" for which various reasons can be associated for thread delay. One reason is a lack of virtual memory. This can be ascertained by examining the results of the "thread wait" counter or by watching the paging file level of utilization.

To illustrate a typical use for Performance Manager, let's assume you receive a few calls complaining about server performance. Each caller simply states that the response to queries and file transfers appears to be taking longer than before. Although you could use a sniffer to see if network bandwidth represents a bottleneck, it is still possible that one or more computer objects is the cause of the complaints. Thus, Performance Monitor could be used as a supplement to a sniffer to examine the performance of various components of the server.

Since we previously selected the % Processor Time counter in Figure 1, let's now use the network interface object. Figure 2 illustrates the selection of the network interface object in Performance Monitor's "Add to chart" dialog box. Note that since the computer has two NICs installed, there are two instances available for selection for each counter. Also note that if you are not sure of the meaning of a particular counter, clicking on the button labeled "Explain" will give a brief definition of the counter.

To ensure that your network connection is correctly configured, you would select the counter "current bandwidth" to verify that the interface to the network matches the operating rate of the network. It is possible that an interface card could be incorrectly configured. However, NT is usually smart enough to inform you of the failure of a process upon logon, leaving you to use Event View to ascertain more information about a particular problem.

Since chose red and blue colors for charting the % Processor Time and current bandwidth counters, the charting operation will display the counters as indicated in Figure 3. Note that the heavy vertical bar rotates from left to right to indicate the present time. Also note that the % Processor Time counter was initiated before the current bandwidth counter. Thus, the % Processor Time counter chart has a longer duration than the current bandwidth counter.

In Figure 3, note that the value for % Processor Time varied from 0 to 100 percent and is shown spiking several times above 80% during the monitoring interval. Although the average processor utilization during the monitoring period is indicated as 6.265%, it is possible remote users are accessing the server during periods of high processor utilization. Since the blue line is fixed at 10, which corresponds to the bandwidth of the 10 Mbps Ethernet connection, we would probably focus on the processor time counter, especially if server requests required a degree of server processing beyond file transfers associated with Web pages. One mechanism for checking the load on the processor over a period of time is the Alert feature of Performance Monitor.

Setting an Alert

Through this Alert capability, you can define counters and instances for objects whose activity will be logged when a predefined condition occurs. That condition can be defined as a counter value either above or below a value you set. You can also set an alert to execute a program; however, if done improperly, that can lead to unwanted complexity.

Figure 4 illustrates the "Add to Alert" dialog box, which can be invoked either from the Edit menu or the Add to Alert button on the toolbar. Similar to selecting counters for display, you would select one or more counters for the alert logging. Figure 4 demonstrates setting an alert for the situation where the % Processor Time counter value exceeds 50.

Although you can set a program to be executed when an alert occurs, a word of caution concerning this option is in order. As indicated in Figure 4, the default is to run the selected program every time the predefined alert occurs. If you configure the "Add to Alert" dialog box to execute a program that beeps your technician, he or she may receive one alert or a large series of alerts depending upon the counter and threshold selected.

To illustrate this, I set the previously configured alert shown in Figure 4 and performed a series of operations. Those operations included opening multiple copies of a screen capture program, running a Web browser, and initiating a file transfer. Although the host system was a Pentium Pro 200 MHZ computer, within a short period of time two alerts were generated. With a bit more activity in a true server environment, it would be relatively easy to spike above 50% Processor Time on a periodic basis.

Thus, you should carefully consider how you use alerts with programs that generate beeper messages or predefined email. One solution to this problem is to select the "First Time" option to run a program. Another solution is to reset the alert update from its default of 5 seconds. Even if you do not intend to initiate a program upon the occurrence of an alert, you may wish to consider altering the update time. If you intend to take snapshots of problems or predefined situations over a period of time, a default value of 5 seconds can easily fill your access log and result in the disappearance of some alerts as old alerts are purged.

Figure 5 illustrates the Alert log after two alerts were generated. Note that at the time of alert occurrence, the value of the counter and its alert value, as well as counter name, instance, object, and computer name are logged. The alert log is capable of storing up to 1000 entries, with new alerts purging old alerts from the log. Thus, the alert facility built into Performance Monitor allows you to monitor the performance of various computer components and to note when they reach predefined values.

Task Manager

Although Performance Monitor lets you observe the state of numerous computer resources, it is not the only facility available under Windows NT. NT's Task Manager, invoked by pressing Ctrl-Alt-Del, also can be useful. As indicated by the tabs in the NT Task Manager dialog box shown in Figure 6 Task Manager lets you view applications and processes that are running on your computer. CPU and memory usage is shown when the Performance tab is selected. Unlike Performance Manager, which can be used to view the performance of other computers on a network, Task Manager only examines activity on the local machine.

Task Manager lets you obtain a real-time synopsis of the use of your computer as well as the effect of different applications and processes on your computer. Note that Figure 6, shows CPU and memory usage and breaks down the manner by which memory is being used. If your computer's paging file was very active due to a lack of available memory, you could use Task Manager to determine the potential effect of moving one or more programs from day to evening processing. Thus, Task Manager can provide a valuable supplement to Performance Manager in your quest to optimize the performance of your NT-based system.


In my experience, the use of Performance Monitor and Task Manager can provide a considerable level of assistance in isolating the reason for degraded levels of computer performance. The charting and alerting features included in Performance Monitor can be used to gather statistics useful for capacity planning as well as to inform you when predefined levels of activity are reached. While the preceding are important, perhaps a key benefit associated with the use of Performance Monitor is to resolve finger pointing between the SA and the network administrator. When users complain about poor response, you can use Performance Monitor to confirm or deny that server activity is the culprit.

About the Author

Gilbert Held is an award-winning author and lecturer. Gil is the author of over 40 books and 250 technical articles. Some of Gil's recent books include High Speed LAN Switching, Virtual LANs, Ethernet Networks 2ed., Enhancing LAN Performance 2ed., The Complete Modem Reference 3ed., and Data and Image Compression 4ed., all published by John Wiley & Sons. Gil can be reached via email at