Overview of Windows Performance Monitor on Windows Server 2022
Windows Performance Monitor (perfmon) is the built-in performance data collection and analysis tool included in every edition of Windows Server. On Windows Server 2022 it provides access to thousands of performance counters sourced from the OS kernel, hardware drivers, and installed applications. The tool operates in two fundamental modes: real-time monitoring for immediate diagnostics and log-based collection for trend analysis and capacity planning. This guide covers the complete workflow from adding counters to scheduling automated data collection, command-line collection with typeperf.exe, alert actions, and advanced tracing with Windows Performance Recorder.
Launching Performance Monitor
Performance Monitor can be launched in several ways on Windows Server 2022:
# From Run dialog or Start > Search
perfmon.msc
# From an elevated PowerShell or Command Prompt
perfmon /sys # Opens System Monitor (real-time graph)
perfmon /report # Generates a System Diagnostics report immediately
perfmon /rel # Opens Reliability Monitor
perfmon /res # Opens Resource MonitorThe Performance Monitor snap-in loads within the Microsoft Management Console (MMC) framework. The left pane shows a navigation tree with three main sections: Monitoring Tools (containing Performance Monitor for real-time graphing), Data Collector Sets (for scheduled collection), and Reports (for viewing saved data).
Adding Performance Counters in Real-Time Mode
Click Performance Monitor under Monitoring Tools to open the real-time graph. By default it shows the %Processor Time counter. To add counters, click the green plus button in the toolbar or press Ctrl+N. The Add Counters dialog opens and lists all available performance objects grouped by category.
The most important counter objects for Windows Server 2022 monitoring are:
Processor — expand to reveal % Processor Time, % User Time, % Privileged Time, % Interrupt Time, and % DPC Time. The _Total instance covers all logical processors combined, or select individual cores. Add % Processor Time for _Total to get overall CPU load.
Memory — key counters include Available MBytes (free RAM), % Committed Bytes In Use (paging pressure), Pages/sec (excessive paging indicates memory shortage), Pool Nonpaged Bytes (kernel pool exhaustion causes crashes), and Cache Bytes.
PhysicalDisk — Avg. Disk Queue Length per disk (values persistently above 2 indicate I/O bottleneck), Disk Reads/sec, Disk Writes/sec, Avg. Disk sec/Read, Avg. Disk sec/Write (latency in seconds).
Network Interface — Bytes Received/sec and Bytes Sent/sec per adapter, Packets Received Errors, Output Queue Length (above 2 indicates network saturation).
After selecting counters, click Add >> to move them to the added list, then click OK. Each counter appears in the graph as a coloured line. Right-click any counter in the legend at the bottom and select Properties to change its colour, scale factor, line style, or width for readability.
Switching Between Real-Time and Log Views
Right-click the graph area and select Properties (or press Ctrl+Q) to access the Performance Monitor Properties dialog. The Graph tab controls the view type: Line (time-series), Histogram bar, or Report (table of current values). The Report view is useful for a quick numerical summary when you have many counters loaded.
The Source tab lets you switch the data source from Current activity (real-time) to Log files, which allows you to replay previously recorded BLG files in the same Performance Monitor interface for retrospective analysis. Use the Time Range slider under the Source tab to focus on specific time windows within a loaded log file.
Creating Data Collector Sets
Data Collector Sets (DCS) automate the collection of performance data over time. They run as scheduled background tasks, writing data to BLG (binary log) files that can be opened later in perfmon for analysis. Expand Data Collector Sets in the left pane and right-click User Defined, then select New > Data Collector Set.
In the Create New Data Collector Set wizard: give it a name such as WindowsServer2022-Baseline, select Create manually (Advanced), and click Next. Choose Performance counter as the data type, set the sample interval to 15 seconds for production baselining (reduce to 1 second for short-term troubleshooting), and click Next.
Add the following counters to capture a comprehensive server baseline:
Processor(_Total)% Processor Time
Processor(_Total)% Privileged Time
Processor(_Total)% Interrupt Time
MemoryAvailable MBytes
Memory% Committed Bytes In Use
MemoryPages/sec
MemoryPool Nonpaged Bytes
PhysicalDisk(_Total)Avg. Disk Queue Length
PhysicalDisk(_Total)Disk Reads/sec
PhysicalDisk(_Total)Disk Writes/sec
PhysicalDisk(_Total)Avg. Disk sec/Read
PhysicalDisk(_Total)Avg. Disk sec/Write
LogicalDisk(C:)% Free Space
LogicalDisk(C:)Free Megabytes
Network Interface(*)Bytes Received/sec
Network Interface(*)Bytes Sent/sec
SystemProcessor Queue Length
SystemContext Switches/secOn the next screen, set the root directory for saved files to D:PerfLogsWindowsServer2022-Baseline to avoid consuming space on the OS volume. Click Finish.
Start the DCS immediately by right-clicking it in the left pane and selecting Start. The circular green icon confirms it is collecting. Files are written to dated subdirectories under your configured path.
Scheduling Data Collector Sets with Task Scheduler
To run a DCS on a schedule, right-click the DCS and select Properties. Click the Schedule tab, then Add. Set the schedule to your requirements — for example, daily at 08:00 with a stop condition of 4 hours. This gives you business-hours coverage without accumulating 24 hours of data per day.
Alternatively, control DCS programmatically from PowerShell using the logman.exe utility, which gives you more flexibility for scripted deployments:
# List all Data Collector Sets
logman query
# Start a named DCS immediately
logman start "WindowsServer2022-Baseline"
# Stop a running DCS
logman stop "WindowsServer2022-Baseline"
# Create a DCS from command line with key counters
logman create counter "WS2022-Quick" `
-c "Processor(_Total)% Processor Time" `
"MemoryAvailable MBytes" `
"PhysicalDisk(_Total)Avg. Disk Queue Length" `
-si 00:00:05 `
-f bincirc `
-max 100 `
-o "D:PerfLogsWS2022-QuickWS2022"
# Schedule it to run at startup
logman start "WS2022-Quick"The -f bincirc flag creates a circular binary log that overwrites old data when the maximum size (-max 100 MB) is reached, which prevents disk space exhaustion for long-running collections.
Saving and Opening BLG Performance Log Files
BLG (Binary Log) is the native format for Performance Monitor log files. These files are compact and can be opened directly in perfmon for analysis. To open a BLG file, click Performance Monitor under Monitoring Tools, right-click the graph area and select Properties, go to the Source tab, select Log files, click Add, and browse to your BLG file.
BLG files can also be converted to CSV or TSV for analysis in Excel or other tools using relog.exe:
# Convert BLG to CSV
relog "D:PerfLogsWindowsServer2022-BaselineDataCollector01.blg" -f CSV -o "C:reportsbaseline.csv"
# Convert BLG to TSV
relog "D:PerfLogsWindowsServer2022-BaselineDataCollector01.blg" -f TSV -o "C:reportsbaseline.tsv"
# Resample data at a different interval (e.g. every 60 seconds) while converting
relog "D:PerfLogsDataCollector01.blg" -f CSV -o "C:reportsbaseline_1min.csv" -t 4The -t flag specifies that every 4th sample is kept (effectively 4 x 15 seconds = 60-second intervals in this example). This is useful for reducing file size when exporting long collections for spreadsheet analysis.
Using typeperf.exe for Command-Line Collection
typeperf.exe is the command-line equivalent of Performance Monitor’s real-time view. It writes counter values to the console or directly to a file at a specified interval. This makes it ideal for quick ad-hoc diagnostics from a Server Core installation or SSH session without a GUI.
# Display CPU, memory, and disk queue every 2 seconds to console
typeperf "Processor(_Total)% Processor Time" "MemoryAvailable MBytes" "PhysicalDisk(_Total)Avg. Disk Queue Length" -si 2
# Collect to CSV file for 5 minutes (300 samples at 1 second each)
typeperf "Processor(_Total)% Processor Time" "MemoryAvailable MBytes" -si 1 -sc 300 -f CSV -o C:reports5min_sample.csv
# List all counters for the Memory object
typeperf -q "Memory"
# List all available performance objects
typeperf -qx > C:reportsall_counters.txtThe -sc flag specifies the number of samples before typeperf exits automatically. Without it, typeperf runs indefinitely until Ctrl+C is pressed. Use -f TSV for tab-separated output which is easier to parse with PowerShell or awk.
Creating Performance Counter Alert Actions
Performance Monitor can trigger actions when a counter exceeds a threshold. In Data Collector Sets > User Defined, right-click and create a new DCS. In the data type selection, choose Performance Counter Alert instead of Performance counter data. Add the counter you want to alert on, such as Processor(_Total)% Processor Time, set the alert threshold (Above 90 for 90%), and specify the sample interval.
In the DCS properties under the Alert Action tab, configure what happens when the alert fires:
Log an entry in the Application event log — writes a Warning or Error event to the Application log with source Perfmon. These events can be captured by Windows Event Forwarding or SIEM tools.
Start a Data Collector Set — triggers another DCS to begin collecting detailed data when the alert fires, creating a targeted log of the period around the threshold breach.
Run a program — executes any executable or PowerShell script. Use this to send email alerts via a script:
# Example PowerShell alert script: C:scriptscpu_alert.ps1
param($CounterValue)
$Body = "ALERT: CPU on $env:COMPUTERNAME is at $CounterValue% as of $(Get-Date)"
Send-MailMessage `
-To "[email protected]" `
-From "[email protected]" `
-Subject "CPU Alert - $env:COMPUTERNAME" `
-Body $Body `
-SmtpServer "smtp.yourdomain.com"Creating Custom Reports from Data Collector Sets
After running a DCS, right-click it and select Latest Report to open the collected data as a formatted HTML report within the perfmon interface. The report shows summary statistics (min, max, average) for each counter collected during the run. This is particularly useful for the built-in System Performance and System Diagnostics DCS templates found under Data Collector Sets > System, which generate comprehensive HTML reports covering CPU, memory, disk, and network performance along with top process tables and configuration snapshots.
Generate the System Diagnostics report on demand from an elevated command prompt:
# Run System Diagnostics DCS (60-second collection then auto-report)
Start-Process perfmon -ArgumentList "/report" -WaitWindows Performance Recorder and Analyzer
Windows Performance Recorder (WPR) and Windows Performance Analyzer (WPA) are part of the Windows Assessment and Deployment Kit (Windows ADK) and provide kernel-level Event Tracing for Windows (ETW) based profiling. Unlike perfmon counters which poll at intervals, ETW captures every event making it suitable for CPU flame graphs, disk I/O tracing, and memory allocation analysis.
# Start a WPR recording with CPU and storage providers (15 second capture)
wpr -start CPU -start DiskIO -start FileIO
# Stop recording and save to a WPR file
wpr -stop C:reportsserver_trace.etl
# List available WPR profiles
wpr -profiles
# Start recording using a custom profile file
wpr -start C:profilescustom_profile.wprpOpen the resulting .etl file in WPA (wpa.exe from the ADK) to access timeline graphs, flame charts, and table views of CPU usage by process and thread, disk I/O by file and process, memory allocation events, and wait analysis. WPA is the tool of choice for diagnosing performance issues that perfmon counters cannot pinpoint, such as identifying which specific code paths are consuming excessive CPU during a business process.
