Windows performance monitoring


How does KNM monitor Windows performance metrics?



KNM have two means of monitoring Windows performance metrics


  •  Windows performance registry (Winperf)
  • Windows Management Instrumentation (WMI)




1. Windows performance register

The Windows performance register is a virtual registry hive that contains performance metrics from a number of installed providers. All the communication with the performance registry is done via the remote registry service.


The following monitors may use the Windows performance registry


●      Windows performance monitor

●      CPU monitor

●      Memory monitor

●      Swap size monitor

●      Bandwidth monitor

●      Disk monitor


All monitors except the Windows performance monitor can be forced to use WMI instead if the flag “Use WMI” is enabled in the Object property page.


How to verify that KNM have access to remote registry service

1.     Logon to the KNM host machine using the Windows account used to monitoring

2.     Start the 32 bit version of the perfmon.exe application (located in SysWOW64\perfmon.exe on a 64 bit host machine)

3.     Connect to the monitored machine and add a counter.


If this test fails, KNM will not succeed in enumerating and sampling counters on the monitored machine.


1.     Check that firewall is opened for Remote Administration in the correct profile.

2.     Make sure the Remote registry service is running on the monitored machine

3.     Verify that the account is allowed to access the performance counter hive.

4.     If its a standalone Vista/7 machine (not in a domain) you have to disable UAC to prevent it from filtering out the credentials.

5.     If counters are missing, and you have verify that the same counters are missing in the performon.exe tool, the performance counter library might need to be rebuilt.

6.     If counters still are missing the counters may be published by a 64 bit dll, KNM is a 32 bit application and cannot yet read 64 bit counter values. User have either to install a 32 bit version of the dll or use WMI to query the counter.


Memory leaks in remote registry service on monitored machine

Since the performance registry hive is loading external executable code to publish performance data to consumers (e.g. KNM) there might be problems with the loadable modules, such as memory leaks and lock ups.


This may result in that the monitored machine experience low memory conditions.


As its impossible for us to fix the problematic dll’s (other than search for newer version of the program). The only thing we can recommend the user is to create a Scheduled event that restarts the remote registry service on the monitored machine every 24 hours.

Caching of counters

When a monitor in an object performance the first test since restart it will cache all the counter and [Winperf] object names to improve the bandwidth usage for all subsequent tests performed against this object.


This can be a problem if the user installs a new piece of software on the monitored machine that publish performance counters, after KNM have tested a Windows performance monitor against it. The problem manifests itself as counters are missing when enumerating them, but they are visible in the perfmon.exe tool.


To reset the cache the user needs to open up the KNM system admin console from the Tools menu (operator needs to be System admin to see the menu entry) and issue the following command:


clear-counter-cache <object>


<object> is the exact name of the object to reset the cache of.


2. Windows Management Instrumentation (WMI)

WMI is used by default by all Windows performance monitors when creating a new object. The WMI protocol have an advantage to the older Windows performance registry calls to be a bit more bandwidth effective. However, on some platforms like Windows Vista and Windows 2008 (without service pack) WMI have a high performance impact and therefore Winperf can be preferred when monitoring these two platforms.


For inexperienced system administrator WMI have had an history of being hard to configure for remote monitoring.


WMI Troubleshooting

This article describes a common problem with Windows performance monitoring and how to resolve it.


The following error message is displayed


Access denied. User may lack remote launch and remote activation permission.


The following monitor types use WMI when the object flag “Use WMI” is checked.

●      WMI Query monitor (*)

●      Active directory monitor(*)

●      Bandwidth monitor

●      CPU monitor

●      Disk monitor

●      Memory monitor

●      Swap monitor

*) Always use WMI


This error message is displayed when:

1.     The user account used is not enabled to use WMI in the domain or on the monitored machine.

2.     The firewall is closed.

3.     The user is not an administrator on the monitored machine

Verifying that WMI is enabled for the account


Open Administrative tools -> Computer management and right click for "Properties" on "WMI Control"


Select the security tab and click "Security"


Enable "Remote enable" for the group/user that you plan to use.


Click “Apply” and close the dialog.


Adjusting the firewall settings

Open the command prompt (as administrator) and execute the following command to enable the inbound rule for WMI.


netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Additional for non-administrator users

You need to enable the non-administrator to interact with DCOM by following the simple steps listed in the followingMSDN article..


In the article, follow the steps for:

●      To grant DCOM remote launch and activation permissions for a user or group

●      To grant DCOM remote access permissions

Verifying that WMI works

The wbemtest.exe utility can be used to verify that its possible to make a WMI call to the monitored machine from the KNM host machine. To start the utility, logon to the KNM host machine desktop and open the start menu, in the "Run" field, type the following and press enter:




When the utility have started. Click the "Connect" button.


Enter the following address and replace “my_ip” with the IP number of the monitored machine:




Enter the username and password that you use in KNM. In the Authority field, enter the domainname of the user. Click "Connect" and then "Enum classes"


In the dialog "Superclass info" , click the recursive radio button and click ok.


The utility now populates Query result window with information from the monitored machine, if this do not happen, consult the following troubleshooting information on Microsoft support web site.

Problem with data returned from performance counters read by WMI


Sometimes the performance register and WMI can become out of sync or the process that collects performance data for WMI can hang on a locked resource.


As a last resort after rebooting the monitored machine, resync the performance counters to WMI by the steps outlined in this article.

Full index of Microsoft WMI troubleshooting articles




Kaseya Network Monitor v4 and above.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section