Universal Logging System

Use win_watch to gather a number of state and performance values from the WMI and the .NET interface of the W*ndows operating system of the current computer and generates a file with the results using the ULS Value File Format.

The performance values are taken as snapshots of the System.Diagnostics.PerformanceCounter and each is saved to a file for differential calculations at the next run of the script. (if applicable, depends on the counter type).

All services are tracked and stopped services defined as “auto” may automatically be restarted. Services may be excluded. But you may expect a [much] longer runtime of the win_watch script, if services need to be restarted. See also Performance Counter.

The configuration file allows customizing of execution parameters. See also the annotations in the delivered win_watch.conf. Description in order of appearance:

IDENTIFIER = _win_watch
  There may be more than one instance of win_watch running on the same 
  computer. Use the IDENTIFIER to uniquely distinguish them. It is 
  also the name of the teststep in ULS where the script runtime information is found.

WORK_DIRECTORY = C:\TEMP\WIN_TOOLS
  That is the directory, where log files and work value files are placed.
  You MUST specify the full path!

ULS_SERVER = 10.1.2.3:11975
  The win_watch script generates a value file in the ULS value file format.
  That must be transferred to the ULS-server. You must sepecify here the 
  IP address and port of the ULS-server.

  If ULS_SERVER is not set or remarked, no value files will be transferred to ULS.
  But the ULS value files are **always** placed in the ULS_DIRECTORY, regardless 
  of whether they will be further processed or not.

ULS_DIRECTORY = C:\\TEMP\\ULS
  That is the directory, where win_watch writes its ULS value files to.

SEND2ULS = C:\\TEMP\\WIN_TOOLS\\send2uls.exe
  send2uls.exe is the W*ndows executable, which transfers all the ULS value files 
  from the ULS_DIRECTORY to the ULS-server. Enter the complete path to the 
  send2uls.exe executable. If not set, nothing is transferred to ULS.
  But the files are **always** placed in the ULS_DIRECTORY.

ULS_HOSTNAME = 
  All gathered metrics are save on the ULS-server in relation to the 
  hostname of the current computer. If you want to use an alternate 
  ULS_HOSTNAME instead of the default computer name, you can define 
  it here. Remember that you have to define that computer name in the 
  ULS administration and define all possible IP addresses for that.
  A "virtual" hostname may be useful in cluster environments.
  The entry is remarked by default.

ULS_SECTION = Windows
  That expression is used as section in ULS.
  See the :ref:`uls_overview` for an explanation of what the section is.

NETWORK_DRIVES = { yes | no }
  All attached disk shares will be checked for size and usage.
  Local disks are always checked. There will be no error if no 
  disk shares are present.

SERVICES = { yes | no }
  All services will be checked for its state.

AUTO_SERVICES_RESTART = { no | yes }
  Restart the services with start mode auto if they do not run.

NEVER_RESTART_SERVICES = <service1>, <service2>, <se*ice5>...
  If AUTO_SERVICES_RESTART=yes is specified, you may exclude a list of 
  services (internal names!!! (Dienstname)) from being restarted. 
  Use the property / Eigenschaften to find the internal name of a service.

  Some services do have a start mode auto but terminate after some time or actions.
  Use show_services to generate a list of all available services
  on the current computer.
  
  You may use wildcards in the <serviceX>, the comparison in the script
  is done by using "-like".
  
SERVICE_INFOS_TO_ULS = { yes | no }
  If "yes" all information about all services is sent to the ULS-server.
  If a service is restarted a notice is definitly sent to ULS.

SERVICE_ULS_TESTSTEP_FORMAT = __name__ (__displayname__)
  Customize the formatting of the ULS teststep for services.

  * __name__        := the internal name of the service
  * __displayname__ := the name of the service as shown in the service
                       list to the user in the W*ndows' gui (localized).

PERFxxx = <category> | <counter 1> [ , <counter 2>, <counter 3>, ...]  [ | <instance_filter> ]
  Specify the categories, performance counters and, if applicable, 
  the instance filters for the performance measurements. Run the 
  script perf_counter_categories.ps1 to generate an html file with all
  available performance categories and counters on the destination computer.

  Currently supported counter types:

  * CountPerTimeInterval*
  * NumberOfItems*
  * RateOfCountsPerSecond*
  * Timer100Ns
  * Timer100NsInverse
  * PERF_PRECISION_100NS_TIMER or 542573824 
    (although the correct usage was not clear to me)
  * PERF_COUNTER_100NS_QUEUELEN_TYPE or 5571840 
    (although the correct usage was not clear to me)
  * PERF_COUNTER_QUEUELEN_TYPE

  The <instance_filter> is applied thru a "if $instance -like <instance_filter>" comparison.

  The following settings are present by default::

    PERF010 = Processor | % Idle Time, % Processor Time, % User Time, % Privileged Time, Interrupts/sec | _Total

    PERF020 = Network Interface | Bytes Received/sec, Bytes Sent/sec

    PERF030 = Server | Files Open, Server Sessions, Errors System, Errors Access Permissions

    PERF040 = LogicalDisk | Current Disk Queue Length, Disk Read Bytes/sec, Disk Write Bytes/sec

Specify more if you like , see Performance Counter Categories to find out how to get information about all performance counter categories on the current computer.

Check also the delivered win_watch.conf for more information.

You can start the “win_watch” manually as any user (although you may need some privileges to access all operating system objects):

C:\> cd C:\ADMIN\WIN_TOOLS\
C:\ADMIN\WIN_TOOLS> win_watch.bat

The log and work value files are placed in directory which is defined as WORKING_DIR in the win_watch.conf, the default is “C:\TEMP\WIN_TOOLS”.

Use Scheduled Tasks and activate the script “C:\ADMIN\WIN_TOOLS\win_watch.bat” (or whatever other name or path you have chosen). Have it executed e.g. every 10 mins.

When was the last reboot of the computer and how many hours is that ago.

The usage of all disks on that computer, probably also the usage of attached storage disks. Different disk drives are identified by its drive letter (like C:).

The eventlog is covered in win_eventlog.

General information about the computer, its cpu, manufacturer and operating system. Note: this currently does probably not work on virtual box guests (Ticket #6361 - Win32_BaseBoard WMI Class Not Available, see https://www.virtualbox.org/ticket/6361).

Usage of all page files like e.g. “C;/pagefile.sys”. Note the ';' instead of a ':', that is because ULS uses the ':' as hierarchy separator in teststeps.

A number of performance counters are already defined in 'win_watch.conf'. You can define additional performance counters, see Performance Counter.

In the description below, you will find abbreviated descriptions of the official W*ndows counter descriptions.

Performance metrics about logical partitions of hard or fixed disk drives. Different disk drives are identified by its drive letter (like C:).

Performance metrics about the rates at which bytes and packets are sent and received over a TCP/IP network connection of a network interface. Several network interfaces are possible.

Processor activity of each cpu or core and in total (_Total).

Some Performance metrics concerning the communication between the local computer and the network.

Information about the physical memory of the computer.

The state of all services for all services, e.g. Alerter. Stopped services with start mode “auto” may be restarted automatically. Exceptions may be defined.

start mode

Each service has a startup mode ("automatic", "manual" or "disabled").

state

The current status of the service ("running", "stopped", "paused").

action

If a service has been restarted, because its start mode is "automatic" 
and its state was not "running", then the service is restarted and 
"restarted" is sent as action.

That is the space on the hard disk of the computer (paging file(s)) where data from RAM is moved to if physical memory gets low.

size

Size of virtual memory.

used

Used space in the virtual memory.

free

Free space in the virtual memory.

%used

Percentage of used space in the virtual memory.

Meta information to the execution of the monitoring script. Note that the name may differ because it is configurable in the ``win_watch.conf``.

message

Is "OK" if there have been no errors during execution of the script. 
Else it will hold the error message(s).

script name, version

The name and version of the script.

runtime

The execution time of the script without transfer to ULS.

start-stop

The start and stop timing tuple of the execution time of the script.

I am not quite sure about the calculations of some counter category types, mainly the exotic ones. So, if anyone finds a bug or a resource of information about the counter categories which are not covered, please let me know.