ExMon (Microsoft Exchange Server User Monitor), Usage Notes

2010-07-09: Updated

2010-03-26: Initial Post

Exchange Server 2003 SP2 / Windows Server 2003 SP2 (to include two-node active/passive cluster)

Someone at work had to use this tool the other day and I shadowed him. I've known of this tool for some time, but never had to use it. I did some research on it and made some notes below.

  • ExMon's focus is primarily on MAPI client/server interaction.
  • To collect data, ExMon must be run locally either via GUI, System Monitor, or command-line.
  • Installed as an MSI package. The installation defaults to C:\Program Files\Exmon\ and the executable is Exmon.exe.
  • Install requires running included .reg file to edit two registry entries to allow ExMon to collect data. To use System Monitor with ExMon requires a restart of the Microsoft Exchange Information Store service after the reg updates.
  • If you want to use ExMon on any active cluster node, ExMon and the .reg file must be installed/run on each node.
  • The other day (2010-07-02) I opened up a case with MS for an issue and the tech who worked my case had me run ExMon. He had me copy the Exmon.exe file from another server where I had it installed. I asked him if I needed to run the .reg file and he said it wasn't necessary. ExMon ran without any errors. So now I'm wondering what extra features does the .reg file add to ExMon? And why did the tech tell me that I didn't need to run it even though it's included with the install package?
  • The GUI shows data via three tabs (views): By User, By Version, and By Clientmon.
  • Default location for saved data file is in the install directory, C:\Program Files\Exmon\. The data files have a .etl extension and automatically stop at 512 MB. There's a floppy disk icon on the toolbar, which if depressed, saves the .ETL file.
  • Command-line must be used to export data files to CSV format, selecting the specific view to export.
  • Can be installed on non-Exchange server/desktop to view ExMon data files.
  • Uses Event Tracing for Windows (ETW).

On 2010-03-26, from http://technet.microsoft.com

Using ExMon, administrators can view the following:

  • IP addresses used by clients
  • Microsoft Office Outlook® versions and mode, such as Cached Exchange Mode and classic online mode
  • Outlook client-side monitoring data
  • Resource use, such as:
  • CPU usage
  • Server-side processor latency
  • Total latency for network and processing with Outlook 2003 and later versions of MAPI
  • Network bytes

ExMon measures only MAPI traffic and load on an Exchange server. It does not include or display data about other protocols, such as Simple Mail Transfer Protocol (SMTP), Distributed Authoring and Versioning (DAV), Outlook Web Access, Post Office Protocol version 3 (POP3), or Internet Message Access Protocol version 4rev1 (IMAP4). . .

ExMon enables administrators to view and analyze how individual users affect the health and performance of an Exchange server, including CPU usage and network traffic. It also enables administrators to view and analyze how those individual users' experience is affected by the server. . .

You must configure ExMon to collect data by one or more of the following methods:

  • Collecting data directly with ExMon [GUI]
  • Collecting data by using System Monitor (Windows 2000 Server and Windows Server 2003 only)
  • Collecting data by using command-line tools . . .

ExMon starts collecting data immediately in one-minute intervals and displays collected data at the end of the data interval [when using direct mode GUI]. . .

By using the Update Interval (min) control on the toolbar, pick a tracing interval between one and 30 minutes. To create traces longer than 30 minutes, chose a different collection mode. . .

Collecting data by using System Monitor is the preferred method of data collection. Collecting data by using System Monitor enables the scheduled collection of ExMon data in a familiar interface. System Monitor enables scheduling data collection on a daily or weekly basis. . .

To use the Tracelog command-line tool to collect data . . . Tracelog.exe is in the Windows\System32 directory on Windows Server 2003 and also in the Microsoft Driver Development Kit (DDK) for Windows 2000 Server.

In Windows Server 2008 and Windows Server 2003 installations, you can use the Logman tool to enable tracing. . .

Tracing time depends on user activity and how you want to use the data. For good averages across all users, it is recommended that you collect data for at least 30 minutes during a period of expected user activity. Some client monitoring data is collected only at certain intervals. Therefore, collecting data for longer may increase the probability of more complete data. When you troubleshoot individual users and problems, traces of one to five minutes are generally sufficient. . .

Also note that ExMon tracing uses a Windows technology known as Event Tracing for Windows (ETW). ETW was designed especially for performance tracing and is used by core parts of Windows. As a result, the effect on the server is less than two percent additional processing time and a negligible additional latency.

On 2010-03-26, from http://www.msexchange.org

The data collected by ExMon is by default saved in Event Trace Log (.ETL) files in the installation directory (C:\Program Files\ExMon) . . .

Personally I got a bit scared when I saw the trace just continued, but fortunately I later found out it had a limit of 512 MB where the trace will stop collecting automatically. . .

Leave a Reply

*