- How to create a log using System Monitor in Windows
- Summary
- More Information
- Using Performance Monitor Wizard
- Creating a Log File
- Log File Names
- Multiplex Log Design Considerations
- Sample Code
- Windows Setup Log Files and Event Logs
- WindowsВ Setup Event Logs
- To view the WindowsВ Setup event logs
- To Export the log to a file
- Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations
- Introduction
- Down-level phase
- Windows Preinstallation Environment phase
- Online configuration phase
- Windows Welcome phase
- Rollback phase
How to create a log using System Monitor in Windows
Summary
This article describes how to create log files using System Monitor in Microsoft Windows 2000, Microsoft Windows XP or Microsoft Windows Server 2003.
Download and use the Performance Monitor Wizard (PerfWiz) to make the log configuration process easier to set up.
More Information
The System Monitor tool included with Windows 2000, Windows XP and Windows Server 2003 is the administrative tool that replaces the Performance Monitor tool included with Windows NT 4.0.
Here is a list of some improvements in the System Monitor tool:
You can log specific counters and instances of an object, which helps you reduce the size of log files.
The Print Queue object is a new Performance object that allows you to monitor aspects of a print queue.
You can start the log on an event using Performance Logs and Alerts.
Other Performance objects have also been added.
A sample log file is included in Windows 2000.
To create a new log:
Right-click Counter Logs, click New Log Settings, type a name for the log, and then click OK.
On the General tab in Windows 2000,click Add to add the counters you want. On the General tab in Windows XP or Windows Server 2003, click Add Counters.
On the Log Files tab, click the logging options you want.
On the Schedule tab, click the scheduling options you want.
You can set similar options in Alerts. For example, you can configure the alert to send a message, start a performance data log, or run a program, if a counter exceeds a certain value.
Using Performance Monitor Wizard
To obtain and download the Performance Monitor Wizard (PerfWiz). The Performance Monitor Wizard simplifies the gathering of performance monitor logs. It configures the correct counters to collect sample intervals and log file sizes. This wizard can create logs for troubleshooting operating system or Exchange server performance issues.
If you are troubleshooting a performance issue or an issue that looks like a memory leak, the objects that Performance Monitor should log include but are not limited to the following items. Memory resource issues:
Cache
Memory
Objects
Paging file
Process
Processor
System
Terminal Services (if a Terminal Server) For all other resource issues, add additional counters:
Logical disk
NBT Connections
Network interface
Physical disk
Redirector
Server
Server work queues
Thread (do NOT capture if a terminal server)
All Terminal Server counters (if a Terminal Server)
All Protocol counters bound to network adapters
Physical Disk counters are present by default on Windows 2000.
For additional information about how to view log files for memory leaks and performance bottlenecks, click the following article number to view the article in the Microsoft Knowledge Base:
150934 How to create a Performance Monitor log for NT troubleshooting
Also see Determining acceptable values for counters under Performance counters in Windows 2000 Help.
Creating a Log File
Before you can use CLFS, you must create a log file using the CreateLogFile function. A log file is made up of a base log file that contains metadata, and a number of containers that hold the actual data. On any local file system, containers can be in one or more separate files; on NTFS, containers can be in one or more streams within a file.
You can create containers using the AddLogContainer and AddLogContainerSet functions. You can also use the CLFS Management API to have CLFS create containers for you.
When you create containers, they are created using the same security attributes as the .blf file, and are created within the context of the user calling the AddLogContainer function, not the context of the owner of the .blf file. For more information about .blf files, see Log Types.
Log File Names
Log file names consist of the log name and an optional log stream name, depending on whether the log is dedicated or multiplexed. The following table enumerates the different ways you can specify a log file name.
| Log file name | Description |
|---|---|
| Log**: [:: ]** | The basic format of a log file name, including both required and optional elements. |
| Corresponds to a valid file path on the underlying file system. | |
| The unique name of a log stream in the log. |
Reading the first «::» from left to right delimits the end of the log name and the start of the log stream name. For example, you can create a dedicated or multiplexed log if you specify the log names in the table above when calling the CreateLogFile function.
Dedicated logs are created by clients that specify only a log name in the pszLogFileName parameter of the CreateLogFile function. This function creates a base log file (.blf) on the path that is specified by the log name. The path can be either absolute or relative. For example, if you specify «log» as the value of pszLogFileName, the file name on the computer is «log.blf», but the name of the log for the application is «log».
When a log is created, CLFS determines whether the log is dedicated or multiplexed depending on whether a dedicated log path or a multiplexed log path is specified by the pszLogFileName parameter.
Multiplex Log Design Considerations
Logs can either be dedicated or multiplexed. Dedicated logs contain one stream, and can never contain more streams. Multiplexed logs have one or more streams. You can create more streams for a multiplexed log in the future.
«Pinning a log tail» means that one log stream does not move its tail, so that all other streams within the log operate normally, write records, and move their respective tails. Eventually, because containers cannot be recycled, the log fills up and no more records can be written. Your application must ensure that when it shares a log that it only does so to users, clients, and processes that are trusted. The ACL for the log file should only include those trusted entities. For example, only allow CompanyXAdmin accounts to have write permissions to the log. By registering as a managed client, an application is entered into an implied contract between all consumers of a log that each consumer is a well-behaved application, and will move their respective log tails when requested to do so.
Sample Code
The following example shows how to:
- Create a log file
- Create the initial containers
- Set the policy for container size
- Create containers according to the policy
- Set the policy for maximum container size
Windows Setup Log Files and Event Logs
Windows® Setup creates log files for all actions that occur during installation. If you are experiencing problems installing Windows, consult the log files to troubleshoot the installation.
WindowsВ Setup log files are available in the following directories:
| Log file location | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Log file | Description |
|---|---|
| C:\WINDOWS\setupapi.log | Contains information about device changes, driver changes, and major system changes, such as service pack installations and hotfix installations. This log file is used only by Microsoft Windows XP and earlier versions. |
| C:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| C:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| C:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
Windows Preinstallation Environment phase
The Windows Preinstallation Environment (Windows PE or WinPE) phase is the Windows setup phase that occurs after the restart at the end of the downlevel phase, or when you start the computer by using the Windows installation media. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| X:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| X:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| X:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| X:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
| or | |
| C:$WINDOWS. BT\Sources\Panther\setupact.log | Contains information about setup actions during the installation. |
| C:$WINDOWS. BT\Sources\Panther\setuperr.log | Contains information about setup errors during the installation. |
| C:$WINDOWS. BT\Sources\Panther\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:$WINDOWS. BT\Sources\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
You may also see a log file in the X:\WINDOWS directory. The Setupact.log file in this directory contains information about the progress of the initial options that are selected on the Windows installation screen. The Windows installation screen appears when you start the computer by using the Windows installation media. After you select Install now from the Windows installation screen, the Setup.exe file starts, and this log file is no longer used.
Online configuration phase
The online configuration phase (the first boot phase) starts when you receive the following message:
Please wait a moment while Windows prepares to start for the first time.
During this phase, basic hardware support is installed. If it’s an upgrade installation, data and programs are also migrated. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| C:\WINDOWS\PANTHER\setupact.log | Contains information about setup actions during the installation. |
| C:\WINDOWS\PANTHER\setuperr.log | Contains information about setup errors during the installation. |
| C:\WINDOWS\PANTHER\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:\WINDOWS\INF\setupapi.dev.log | Contains information about Plug and Play devices and driver installation. |
| C:\WINDOWS\INF\setupapi.app.log | Contains information about application installation. |
| C:\WINDOWS\Panther\PostGatherPnPList.log | Contains information about the capture of devices that are on the system after the online configuration phase. |
| C:\WINDOWS\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
Windows Welcome phase
The Windows Welcome phase includes the following options and events:
- It provides the options to create user accounts.
- It provides the option to specify a name for the computer.
- The Windows System Assessment Tool (Winsat.exe) finishes performance testing to determine the Windows Experience Index rating.
The Windows Welcome phase is the final setup phase before a user signs in. The following table lists important log files in this setup phase.
| Log file | Description |
|---|---|
| C:\WINDOWS\PANTHER\setupact.log | Contains information about setup actions during the installation. |
| C:\WINDOWS\PANTHER\setuperr.log | Contains information about setup errors during the installation. |
| C:\WINDOWS\PANTHER\miglog.xml | Contains information about the user directory structure. This information includes security identifiers (SIDs). |
| C:\WINDOWS\INF\setupapi.dev.log | Contains information about Plug and Play devices and driver installation. |
| C:\WINDOWS\INF\setupapi.app.log | Contains information about application installation. |
| C:\WINDOWS\Panther\PostGatherPnPList.log | Contains information about the capture of devices that are on the system after the online configuration phase. |
| C:\WINDOWS\Panther\PreGatherPnPList.log | Contains information about the initial capture of devices that are on the system during the downlevel phase. |
| C:\WINDOWS\Performance\Winsat\winsat.log | Contains information about the Windows System Assessment Tool performance testing results. |
Rollback phase
If a Windows upgrade installation fails, and you’ve successfully rolled back the installation to the previous operating system desktop, there are several log files that you can use for troubleshooting. The following table lists important log files in this phase.
