The Exchange Server User Monitor (ExMon), announced by the Exchange Server engineering group last April, lets Exchange administrators investigate and respond quickly to user complaints that "the mail system is running slowly." You can use ExMon to monitor the performance of individual Outlook client connections with the Exchange server in near real time and possibly identify heavy resource usage (e.g., excessive CPU consumption). You can also use ExMon to determine the impact of user activity on the Exchange system. ExMon is a great tool for a quick look at overall system performance (as opposed to detailed performance analysis). It relies on the Event Tracing for Windows (ETW) subsystem that Microsoft created to allow low-overhead performance analysis of Windows applications. (You can gain a basic understanding of ETW at http://blogs.msdn.com/matt_pietrek/archive/2004/09/16/230700.aspx.) To get you started with ExMon, I outline the tool's requirements and provide some guidelines about how to install and use the tool.
Installing ExMon
ExMon operates in two modes: data collection and data viewing. To collect data from an Exchange server, you must install ExMon on that server. You can't use ExMon on one system to collect data from a remote system that doesn't have ExMon installed. ExMon works with both Exchange 2000 Server and Exchange Server 2003. However, when installing ExMon on an Exchange 2000 server, you must run Exchange 2000 Service Pack 2 (SP2) or later. On Exchange 2003 systems, ExMon is supported only with Exchange 2003 SP1 or later. If you install ExMon on an Exchange server to capture performance data, you can use it to view the captured data later.
You don't need to install ExMon on an Exchange server if you only want to view ExMon data files. You can install the tool on a Windows server (that isn't running Exchange) and view data files that were captured by ExMon on an Exchange server. There are some requirements and limitations, though. If the ExMon data files were created on a Windows Server 2003 server, you can view the ExMon data only on a Windows 2003 server running ExMon. However, if the ExMon data files were created on a Windows 2000 Server system, you're free to use ExMon running on a Windows 2003 server, a Win2K server, or even a Windows XP workstation to view the data files. ExMon has no specific service pack prerequisites for these OSs, although keeping systems updated with the latest service pack is always a good idea. The version of Exchange on which a data file was created has no bearing on the version of the OS you must use to view the data file.
ExMon is available from the Microsoft Web site at http://www.microsoft.com/exchange/tools/2003.asp. After you download the tool, you will have one Windows Installer (.msi) file named exmon.msi. Double-click the MSI file, and the tool will, by default, be installed to the Program Files\ Exmon folder on your system drive, although you can change the folder location. ExMon isn't an I/O-intensive application; Microsoft says that CPU consumption on the system under scrutiny should be minimal (allegedly less than 2 percent). However, locating applications on the system volume is never a good idea, so you should consider some other location for the ExMon installation directory. Also, when you run the tool, you can specify a separate location for its data-collection log files. Avoid using any volumes used by Exchange (e.g., volumes that host Exchange database files, transaction log files, or queue directories) to collect data for ExMon because ExMon's I/O activity can affect normal system performance for Exchange files on these volumes.
The installation isn't really an installation as such. Double-clicking the .msi file just unpacks the ExMon utility and three ancillary files. After unpacking the files, you should open a command prompt window and navigate to the directory that holds them. Figure 1 shows the installation directory created by running exmon.msi. The Using_Exmon.doc file provides useful information about how to use the tool.
Before you can actually run the ExMon tool to start gathering and viewing data, you must create two ExMon registry entries, which Table 1 shows. In the command prompt window shown in Figure 1, type the command
exmon.reg
to create the entries. The Exchange System Attendant service will detect the registry subkey changes within a few minutes (typically within 15 minutes); there's no need to restart any Exchange services or reboot the server.
The RpcEtwTracing registry entry, when enabled, allows Windows to capture performance information using the ETW technology. Although merely enabling the registry entry doesn't affect Exchange system performance, if you aren't currently using ExMon to monitor the system (and don't intend to for some time), Microsoft recommends that you either set the value to 0 or delete the registry subkey. In fact, if you run the Exchange Server Best Practices Analyzer (ExBPA) tool, it will highlight an enabled RpcEtwTracing registry entry as a potential problem because you shouldn't have the system configured to capture tracing information unless you're troubleshooting a performance problem or determining a system performance baseline (tracing puts unnecessary load on the system).
Running ExMon Directly
You can collect data for viewing in ExMon by using ExMon directly, by using System Monitor, or by using command-line tools. Running ExMon directly is straightforward. Double-clicking exmon.exe in Windows Explorer launches the application, and data capture begins immediately with a default reporting interval of 1 minute. Initially, the ExMon window will be blank, but as soon as the first minute has elapsed, the averaged data values from that reporting interval will be displayed, as shown in Figure 2. You can stop data collection at any time by clicking the Stop icon (a black square) on the toolbar (or selecting Stop from the File menu); similarly, you can restart data collection by clicking the Start icon (a right-pointing arrow) on the toolbar or via the File menu.
As performance information is collected, it's logged to a temporary file that's placed in the directory you selected during installation or a directory of your choosing. ExMon generates the filename from the server name and a pseudo-random identifier and gives it an .etl extension (e.g., MARKOV-428b6c81.etl). The .etl extension is used for event trace log files.
You can set the sampling interval to any value between and including 1 and 30 (minutes). ExMon retains the last log file written to the installation directory in addition to the log file to which data is currently being written. At the end of a sampling interval, ExMon opens a new log file for the new data to be collected and processes the collected data from the previous sampling interval. If you have a long (30 minute) sampling interval and your Exchange server is busy, processing the data at the end of the sampling interval might use significant CPU and memory resources on the system. Therefore, you should exercise caution when using ExMon on busy production servers, especially with large sampling intervals. When you exit ExMon, the log files are removed.
When you examine the information displayed in ExMon, don't be alarmed if one user appears to account for a large CPU percentage. The CPU percentage shown is the user's portion of the CPU utilized by the Exchange Store process rather than the user's portion of the total system CPU utilization, so even on a multiprocessor system, the sum of the users' CPU percentage values won't exceed 100. Remember that ExMon provides only a snapshot of resource utilization; for short sampling intervals, it's likely that some users will stand out, especially if they've performed CPU-intensive operations at the time of the sampling interval. For example, user CA M.Loughran accounted for 28 percent of the CPU utilization during the 1-minute sampling period shown in Figure 2. I happen to know that this user was attaching a rather large file to an email message during this sampling period, explaining the high CPU utilization. Over a longer sampling interval, the resource utilization would be much more evenly distributed across users. Over a longer sampling period, very heavy consumers of CPU resources might well warrant some closer scrutiny to determine exactly what operations they were performing.
You might occasionally notice an ExMon results entry that has a blank username and low system resource use; Figure 2 shows such an entry. These entries indicate that ExMon has detected a client logon and has begun reporting on the client's usage but hasn't yet been able to detect a username for the process.
The status line at the bottom of the ExMon window provides additional information, including a Captured field. This value represents the percentage of the Information Store CPU usage captured by ExMon relative to the total amount of Information Store CPU usage. ExMon captures data only for Messaging API (MAPI) clients; other client types such as Outlook Web Access (OWA), POP3, and IMAP4 consume Information Store cycles but aren't processed by ExMon.