With a nod to Vivek Gite and his popular 20 Linux System Monitoring Tools Every SysAdmin Should Know article, we present “20 Top Windows SysAdmin Tools You Should Know”.
Many of the programs listed below are included with Windows and provide all kinds of information about what is happening on the computer. Some you’ve probably heard of, and hopefully a few will be new to you.
1. Task Manager – CPU and memory usage
Everyone that deals with Windows in a system administrator capacity has to know about the most common of SysAdmin Tools, Task Manager. The nice thing is it keeps getting better with each new version of Windows.
The screenshots below show Task Manager from Windows 2008 R2. To make sure you see everything, click the button (a check box in older versions) in the lower left corner.
The Processes tab is probably the most useful. Here you can see the list of running processes, how much memory and CPU each process is using, the user account the process is running under and more.
In addition, you can click View -> Select Columns… to show even more information, such as the Session ID a process is in, the full path to the executable, how much virtual memory the process has allocated, and more. One stop system administrator goodness 🙂
But wait, there’s more!
The Performance tab gives some nice charts of CPU utilization. You can also see total memory, kernel memory, etc.
A low amount of Free memory is not a bad thing — it often means Windows is using your RAM to cache parts of the hard disk, thus speeding up many operations. If the RAM is needed, the caches will give it back.
One of the best kept secrets, the Resource Monitor, is also accessible from here.
2. Resource monitor – high level disk I/O tracking
Have you ever been using a computer or server and noticed it get really sluggish? Sometimes you can hear the disk thrashing and know that some process is busier than you want it to be. If you’re lucky, you can check Task Manager and sort by CPU to see which process is using a lot of CPU. But in many cases, the offending process is doing very little with CPU because it’s so busy thrashing the disk. Another fairly common piece of Windows SysAdmin Tools, the Resource Monitor, lets you find the culprit.
Start the Resource Monitor and click the Disk tab. Expand the “Processes with Disk Activity” drop down. Sort the list by the “Total (B/sec)” column to quickly see which process is so busy. To further understand what is happening, you can expand the “Disk Activity” drop down and sort that list by “Total (B/sec)”. Looking at the file names will sometimes give a hint about whether the process is doing a backup, writing to a log file, or some other activity.
3. Performance Monitor (aka Perfmon)
Performance Monitor is a real gem on Windows, and many IT folks would benefit by becoming more comfortable with it. The operating system publishes many useful stats here (active database connections, active HTTP connections, CPU usage, time per disk read, network usage, process memory, etc). In addition, other application providers can also include stats, and most (all?) of Microsoft’s major apps do, like IIS, MS SQL Server and Exchange.
When you first start perfmon.exe or perfmon.msc (they’re the same), it’s not much to look at. Make sure to click the “Performance Monitor” node, and then the green plus symbol to add counters to watch.
There are sooo many counters that can be monitored that this article can’t even begin to cover them. One thing that will help though – when you’re looking at the list of counters, check the “Show description” box at the bottom left corner – this helps you understand what the selected counter does.
Also note that Perfmon can connect to other computers on your network and display their counter values.
(Side note, there is a compiled list of typical counters to monitor for Microsoft Exchange at:
The Services applet (services.msc — it’s the gear looking thingy in Administrator Tools) is where you can control the service processes that are running on Windows. Of particular interest to IT admins is the service’s start up type (usually automatic or manual) and the Log On As account.
‘Recovery’ is a cool under-used feature. Right click a service and go to Properties. Here you can tell Windows what it should do if the service stops unexpectedly (crashes). Restarting the service is often a good option.
5. Event Log Viewer – system logs, errors and events
One SysAdmin Tool no one should overlook is the Windows Event Log Viewer. It shows a wealth of information about problems that might be happening on a server, including hardware errors, server restarts and more. The Application and System logs are typically where you’ll find what you’re looking for, but there are more logs than that on modern Windows. If you have a blue screen, a server hang, or an application misbehaving, look in the Event Log first.
6. PsExec – start apps on remote computers
PsExec is not an app that comes with Windows, but it’s a free sysadmin tool/utility from Microsoft (originally from Sysinternals) that lets you start apps on a remote computer.
In the simple example above, PsExec was started locally, to run ipconfig on a remote computer (‘archive’) to find out what gateway it is using. PsExec can be very handy in many situations. If you need a redistributable PsExec, take a look at PAExec.
7. Process Monitor – low level file I/O and registry spying
Another beauty from Microsoft’s sysadmin tools (Sysinternals) is Process Monitor. From the web page: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.”
The power is in the filtering – you can have it show you only registry access to a particular key, or file I/O operations taking place in a specific folder, or from a specific program. It’s a great help when something ought to work but doesn’t because you can (for example) see where a file or registry read is failing.
8. Task Scheduler
Unix has its cron, and Windows has Task Scheduler. (Well, Windows also has ‘at’, but that’s another story). Task Scheduler can be found in Administrator Tools, or started via taskschd.msc.
From the screenshot, you can see that various companies (Google and Adobe for example) will create scheduled tasks so their applications are launched periodically for some background processing. Windows itself has many tasks it uses. And of course, you can easily create your own. One simple example is to compress and/or move log files. Or run a periodic database cleanup script. Or to check for updates. Or ….
9. netstat – view network connections
Being familiar with netstat signals you’re no mere hobbyist, but a serious IT professional. Netstat shows the status of current network connections – run it without any command line arguments and that’s what you’ll see.
To see connections along with the process that created them, run netstat –b. To see current connections as well as ports that are listening for incoming connections, run netstat –ab as shown below:
Note that the process involved with the port is shown below the port information. So mysqld is listening on port 3306, not 3389.
10. Wireshark – view network packets
If you ever need to see network packets entering and leaving a computer, look no further than Wireshark. This is a fantastic free SysAdmin tool that will capture every packet, and even better, break each one down into its appropriate protocol headers and content. Below I’ve clicked a packet for an HTTP 302 redirect message coming in from a web server.
The documentation is great, and once you get the hang of it, you can spy on all of the applications on your computer, see what servers they are talking too, and what information is being sent and received.