File Services - Illinois Institute of Technology



Windows Server 2008

Resource Management and Performance Monitor

Goal: monitor server’s performance and tuning it so that you can maximize its full potential

• Provides some form of centralized service for its users

• Ensure server reliability, server’s health and stability

• Keeping track of server performance and capacity

• Predicting server growth

• Metrics-gathering tools when performance issues arise

• A tool to gather system data proactively

• Most effective way to justify upper management why you need to spend money on equipment and resources

• A troubleshooting tool to prioritize server’s processes

Windows 2008 provides Windows System Resource Manager (WSRM) to monitor system performance and system reliability. This is an enhancement version from previous Windows versions.

• WSRM acts as a kind of “resource police”

• WSRM is part of Windows 2008 Enterprise and Datacenter editions – install through Server Manager

• On Windows 2003 Enterprise and Datacenter editions, WSRM is on a separate CD that you can choose to install

• WSRM allows administrator to specify constraints for each process such as CPU and memory

WSRM has nine distinct components, including management interface, information stores, schedulers, and managers;

• WSRM console – GUI to manage and monitor WSRM

• Distributed Component Object Model (DCOM) interface -

Remote APIs used to communicate between client and WSRM service

• WSRM service – Track processes and compare them

• Accounting database – Stores information about managed processes on a per-process basis

• Policy store – Stores all the policies and resource matching criteria defined in WSRM

• WSRM setting – Stores the current management settings

• Calendar – Stores all calendar-related events

• Memory Manager – Manages memory allocated to managed processes

• Kernel Scheduler – Control how processes are scheduled

Managed vs. Unmanaged Processes

Some processes are system processes and should not be restricted;

Csrss.exe – Stands for client/server run-time subsystem

Csrss is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

The csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm! Virus with same name: Nimda.E

Dumprep.exe

dumprep.exe forms a part of Microsoft Windows XP (and later versions), in-built fault logging software. Upon serious errors this program will write the details to a text file and request the information be sent to Microsoft.

Lsass.exe

"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

Msdtc.exe - Microsoft Distributed Transaction Coordinator.

Msdtc.ece is a transaction manager which permits client applications to include several different sources of data in one transaction and which then coordinates committing the distributed transaction across all the servers that are enlisted in the transaction. MSDTC runs on all Windows platforms and is installed by applications which need to use it, such as the Microsoft"s Personal Web Server, or Microsoft SQL Server.

Recommendation : If you have it running, it is most probably needed by a Microsoft Application, so leave it untouched unless it is definitely causing you problem.

Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!

Services.exe

This is the Services Control Manager, which is responsible for running, ending, and interacting with system services.

Note: The services.exe file is located in the folder C:\Windows\System32. In other cases, services.exe is a virus, spyware, trojan or worm!

Virus with same name:

W32/Leave.B (service.exe)

W32.Randex.R (service.exe)

W32.HLLW.Kazping (service.exe)

W32.XTC.Worm (service.exe)

Smss.exe

This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Note: The smss.exe file is located in the folder C:\Windows\System32. In other cases, smss.exe is a virus, spyware, trojan or worm!

Virus with same name:

W32.Dalbug.Worm

Adware.DreamAd

W32.Resdoc

Adware.Advision

Backdoor.IRC.Flood.F

Backdoor.IRC.Aladinz.O

and more...

Spoolsv.exe

The spooler service is responsible for managing spooled print/fax jobs.

Note: The spoolsv.exe file is located in the folder C:\Windows\System32. In other cases, spoolsv.exe is a virus, spyware, trojan or worm!

Virus with same name:

Backdoor.Ciadoor.B

VBS.Masscal.Worm (vbs)

Hacktool.Privshell

Taskmgr.exe

The taskmgr.exe process is the file used to launch Windows Task Manager.

Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!

Winlogon.exe

It's a part of the Windows Login subsystem. Winlogon is necessary for user authorization and checks the Windows XP activation code.

Note: The winlogon.exe file is located in the folder C:\Windows\System32. In other cases, winlogon.exe is a virus, spyware, trojan or worm!.

Virus with same name:

sky.D

Wmiprvse.exe

Windows® Management Instrumentation (WMI) is a component of the Microsoft® Windows® operating system that provides management information and control in an enterprise environment.

Note: The wmiprvse.exe file is located in the folder C:\WINDOWS\System32\Wbem. In other cases, wmiprvse.exe is a virus (Sasser worm), spyware, trojan or worm!

Virus with same name:

W32/Sonebot-B

Hands-on Lab exercises

1. Installing WSRM

Instructor approval: _____________________________

2. Creating a Process Matching Criterion

Instructor approval: _____________________________

3. Creating a CPU Allocation Policy

Instructor approval: _____________________________

4. Creating a Calendar Event

Instructor approval: _____________________________

5. Archiving Accounting Information

Instructor approval: _____________________________

6. Using Resource Monitor to Track CPU and Memory Usage

Instructor approval: _____________________________

7. Creating a Data Collector Set from the Performance Monitor

Instructor approval: _____________________________

8. Scheduling a Data Collector Set to Run Daily

Instructor approval: _____________________________

9. Configure a Data Collector to Generate Reports

Instructor approval: _____________________________

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download