5 ways to see what's going on in your Windows server system right now
It’s easy to lose track of what’s happening on a Windows server, particularly when something goes awry. There are hundreds of processes, scheduled tasks, rules, handles, and privileges going on at the same time. The more you know about the goings on of the computers you’re responsible for—whether Windows, Linux, or any other operating system—the easier it is to fix if things go south.
Fortunately, you have help. There are many command-line utilities for Windows systems (desktop and server), as well as small, official tools that help you get a grip on what’s going on at all times. In this article, I introduce you to some you should know about. These may not surprise you if you’re an experienced Windows admin but can serve as a checklist for your fix-it toolbox.
I share both free tools and PowerShell or CMD command-line commands. Naturally, the options extend far beyond my list here.
When you don’t want to or (feasibly) can’t get local access to your server, turn to remote tools including WinRS/WinRM or PowerShell remoting, or stick to options such as remote desktop solutions.
See what’s running automatically
Microsoft's Autoruns has been on my list of tools for more than 15 years now. Every server admin should have it handy. It gives you a complete overview of all processes that run at Windows startup (whether server or client) and all scheduled tasks, services, drivers, Winsock providers, DLLs, and more.
Once a month, I go through the exhaustive list of items and hunt for new entries (Why is it here? Where is it coming from? Do I need it?). I also look at entries marked in yellow or red (the items that try to launch a nonexistent file—usually a good source for troubleshooting).
In particular, third-party services and scheduled tasks get my full attention. I want my server to run as cleanly as possible.
Big plus: The recent versions allow you to check any file for any form of malware, known and especially unknown, using VirusTotal.
Monitor all processes live
One of the most fascinating things to observe on your server, and a great way to troubleshoot problems or performance issues, is Process Monitor, which displays a live view of all file, process, and registry activity. In just 10 minutes, my Windows server recorded 8 million events.
Things can get quite wild, as Process Monitor lists every single event or process. But with a little know-how, you can filter the information. If you suspect that a certain process or service is thrashing your hard drive or crashing at a specific point, naturally you need to find out why. You can isolate it by right-clicking and selecting Include <processname>. Look at what’s happening (under "Operation"), then check the "Results" and the "Details" for further diagnosis. That likely shows whatever is odd and why.
Network commands you need to know
Getting a grip on your network connections is easy: Turn to the old familiar command line. Windows Server comes with a handful of commands to run in a command-line window that should help you get a sense of network connectivity.
First, fire up the command prompt and type in
netstat. Netstat (available in all versions of Windows) lists all active connections from your local IP address to the outside world. Add the
-b parameter (
netstat -b) to get a list by .exe files and services so you know exactly what’s causing the connection.
ipconfig /all—an all-time classic command-line command that gives you the status of all network adapters.
At the command line, type in
net statistics for a list of core performance data, such as network errors, hung sessions, bytes received, SMBs received/transmitted, write/read errors, etc. This includes all data since the last reboot—oh, and that also gives you the server’s uptime!
Last but not least, there’s
PathPing. It combines
Tracert and lets you trace and get statistics on a specific route. Type in
pathping IPADDRESS for information on latency, loss packets, and more, after just a few seconds of tracing.
Export server application or system logs to CSV
Event Logs aren’t the fastest way to check up on system or application errors. Using a simple PowerShell command (
Get-EventLog -Log "Application" or
Get-EventLog -Log "System"), you can get a full list of all events in the most critical categories.
But log files often are huge, and it is not feasible to read them. Instead, export these logs into a CSV file on a regular basis. Using Excel to filter and search is far simpler than messing with Event Viewer.
Check Active Directory health
My primary tool to diagnose domain controllers is Microsoft’s Domain Controller Diagnostic Tool. Run it from
C:\Program Files (x86)\Resource Kit. To perform a comprehensive check on all Active Directories, run
dcdiag /e /v /c whereupon you get information on abnormal system behavior such as hard disk errors and network problems. Adding
/fix runs some basic (safe) DNS repairs. However, don’t count on those or get your hopes up. In my experience, you end up fixing most issues by hand!
WMIC: The be-all and end-all of status checks
Another useful Microsoft-provided built-in tool is the Windows Management Instrumentation Command-line utility. Running WMIC from a command line gives you dozens of tools to check up on hardware and software server activity. I regularly use several of its tools:
- DiskQuota: Lets you check whether users have reached their disk space limit.
- Group: Lists all user accounts and groups.
- IRQ: Provides a full list of server IRQs. This is great for hardware troubleshooting, especially when you have multiple network adapters.
- Printer and printjob: Gives a detailed overview of active connected printers and outstanding print jobs.
- Share: Provides an overview of all resources shared by your server.
Beyond status dashboards
The commands here let you dive deeper into system status than you can with a Windows server overview status dashboard. Often, they let you fix things immediately. It’s a more hands-on and thorough approach.
(All images courtesy of the author.)
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.