Using Exchange Server User

Monitor
Published: March 2005
Applies To: Exchange Server 2003 SP1, Exchange 2000 Server SP3

Copyright
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

2005 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Outlook, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 Using Exchange Server User Monitor 1

Introduction

The Microsoft® Exchange User Monitor (ExMon) tool enables administrators to view and evaluate individual
users' usage and experience with Microsoft Exchange Server. With this tool, administrators can gather real-
time data that helps them better understand current client usage patterns and plan for future use.
By using ExMon, administrators can view the following:

• IP addresses used by clients

• Microsoft Office Outlook® versions and mode, such as Cached Exchange Mode and classic online mode
• Outlook client-side monitoring data
• Resource use, such as:
• CPU usage
• Server-side processor latency
• Total latency for network and processing with Outlook 2003 version MAPI
• Network bytes
Note ExMon measures only MAPI traffic and load on an Exchange server. It does not include or
display data about other protocols, such as Simple Mail Transfer Protocol (SMTP), Distributed
Authoring and Versioning (DAV), Outlook Web Access, Post Office Protocol version 3 (POP3), or
Internet Message Access Protocol version 4rev1 (IMAP4).

When to Use ExMon

ExMon enables administrators to view and analyze how individual users affect the health and performance of
an Exchange server, including CPU usage and network traffic. It also enables administrators to view and
analyze how those individual users' experience is affected by the server.
Note that ExMon does not report all information about server health or user experience. For example, ExMon
does not report on the following factors that can affect Exchange Server 2003 performance:

• Incoming unsolicited commercial e-mail (also known as spam) from the Internet
• Incoming SMTP mail flow from the Internet or from other sites in your organization
• Use of non-MAPI protocols for account access, such as POP3 and IMAP4
• Use of mobile devices, although some Exchange ActiveSync® client traffic is included
ExMon provides an overview of individual users' behavior only. It should be used with other procedures and
tools that are recommended by Microsoft.
 Using Exchange Server User Monitor 2

Installation

To collect data, ExMon can be installed on either Exchange 2000 Server SP2 and later versions, or Exchange
Server 2003 SP1 and later versions. You can collect data that is relevant to the Exchange server on which
ExMon is installed.
To view data, you do not need to install ExMon on an Exchange server. If the input file that you want to read
was installed on a Microsoft Windows Server™ 2003 server, you will need to install ExMon on a
Windows Server 2003 server. If the input file was collected on Microsoft Windows® Server 2000, you can use
ExMon that is installed on Windows Server 2003, Windows 2000 Server, or Windows XP to view the data.
To install ExMon, perform the following procedure.

To install ExMon
1. Double-click the Exmon Windows Installer package and follow the installation steps. By default, ExMon
is installed to the \Program Files\Exmon\ folder.
2. In the Command Prompt window, locate the newly created folder.
3. At the command prompt, type exmon.reg. This command creates the registry key for ExMon data
collection.

Selecting a Data Collection Method

You must configure Exmon to collect data by one or more of the following methods:

• Collecting data directly with ExMon

• Collecting data by using System Monitor
• Collecting data by using command-line tools

Collecting Data Directly with

ExMon
Collecting data directly with ExMon is the simplest method for short-term data collection. ExMon collects data
in user-configurable intervals and displays that data after collection. Collecting data directly with ExMon is
most useful for quick spot checks of a server, not for large-scale or long-interval data collection. For large-
scale or long-interval data collection, use the data collection methods that are described in the next sections.
Using Exchange Server User Monitor 3

To run ExMon and collect data

1. Verify that the Microsoft Exchange Information Store service is running.
2. Run Exmon.exe. ExMon starts collecting data immediately in one-minute intervals and displays collected
data at the end of the data interval.
Note By default, ExMon does not permanently save collected data. It uses temporary files.
See the "To change the data collection interval" procedure in this section for instructions on
changing the collection interval.

To stop data collection in ExMon

Select File, and then click Stop, or click Stop Tracing on the toolbar.

To resume data collection in ExMon

Select File, and then click Start, or click Start Tracing on the toolbar.
Note The Microsoft Exchange Information Store service must be running for ExMon to
successfully start tracing.

To change the data collection interval

By using the Update Interval (min) control on the toolbar, pick a tracing interval between one and 30 minutes.
To create traces longer than 30 minutes, chose a different collection mode.
Caution Because ExMon displays trace files at every update interval, administrators should use
caution on production servers. The parsing of ExMon data files can be computationally intensive
and can affect Exchange performance. Large update intervals produce large files that are more
likely to affect server performance.

Collecting Data Using System

Monitor
Collecting data by using System Monitor is the preferred method of data collection. Collecting data by using
System Monitor enables the scheduled collection of ExMon data in a familiar interface. System Monitor
enables scheduling data collection on a daily or weekly basis.
Follow these steps to collect ExMon data with System Monitor.
To configure a trace log
1. Whether you are running Windows Server 2000 or Windows Server 2003, log on to the server by using
credentials that are configured as a local administrator.
Important The account that you use to collect Exmon data must be a member of the
administrative group on the Exchange server.

2. To start System Monitor, click Start, click Run, and then type perfmon.msc.
3. In the Performance console, expand Performance Logs and Alerts, and right-click Trace Logs. Select
New Log Settings.
4. Create a descriptive name for the new log.
5. Under Nonsystem Providers, click Add.
6. Select Microsoft Exchange Information Store, and then click OK.
7. Provide credentials to Run As in the form DOMAIN\username. You also must provide a password by
clicking Set Password.
Using Exchange Server User Monitor 4

8. Set other options, such as schedule and logging directory. For help in configuring these options, see
System Monitor Help.
9. Click OK. Data collection will start according to the scheduling options that you have selected.

Collecting Data Using Command-

Line Tools
Advanced users can customize and script ExMon data collection by typing commands at a command prompt.
Use the following procedures to collect ExMon data by using command-line tools.
 Using Exchange Server User Monitor 5

To collect data by using command-line tools

1. Click Start, click Run, and then type cmd to open a Command Prompt window.
2. At the command prompt, type tracelog.exe –start "Exchange Tracing" –f [Drive:][Path]
OutputFileName –guid [Drive:][Path] guids.txt ExMonPath\guids.txt refers to the full path of the
Guids.txt file that was copied to the directory when you installed ExMon. Data collection will start
immediately.
Note Tracelog.exe is in the Windows\System32 directory on Windows Server 2003 and also in
the Microsoft Driver Development Kit (DDK) for Windows 2000 Server.

To stop data collection

1. Click Start, click Run, and then type cmd to open a Command Prompt window.
2. At the command prompt, type tracelog.exe –stop "Exchange Tracing"

Viewing ExMon Data

The following sections describe the three views of data in ExMon and how to view them.

Displaying Data in ExMon

Use the ExMon user interface to display data.

To view data in ExMon

1. Click Start, click Run, and then type cmd to open a Command Prompt window.
2. At the command prompt, type exmon.exe "[Drive:][Path]InputFileName"

Description of ExMon Data

Columns
By using ExMon, you can display data in the following ways.

• By User View
• By Version View
• By Clientmon View
Using Exchange Server User Monitor 6

Displaying Data in the By User View

The By User view aggregates data about individual users' consumption of server resources. Each row in the
view contains data about one user, whether that user has only one computer or is accessing Exchange Server
from multiple computers. Table 1 shows the types of data that are displayed in the By User view.

Table 1 Data Displayed in the By User View

Column Name Column Description

User Name The display name of the user.
Note In the case of Delegate Access or a shared mailbox, the user
name corresponds to the actual user, not the mailbox.
Note A blank user name indicates system usage and use of clients that
have not successfully authenticated.
Packets The count of remote procedure call (RPC) packets that have been
processed by the server.
Operations The count of operations in RPC packets. Frequently, Exchange Server
assembles operations together to reduce network overhead.
CPU Time (ms) The sum of processing time consumed and reported in milliseconds.
1000 milliseconds corresponds to one second of 100 percent processor
utilization or to two seconds of 50 percent processor utilization (and so
on).
CPU % The percentage of store CPU, not total processor CPU, consumed by the
user.
Avg. Server Latency (ms) The average amount of time that Exchange Server spends processing,
retrieving data from disk, and communicating with the Active
Directory® directory service global catalogs and domain controllers.
Max. Server Latency (ms) The maximum time that Exchange Server spends processing, retrieving
data from disk, and communicating with Active Directory global
catalogs and domain controllers.
Bytes In Sum of Exchange-related data that the server receives after
compression. This sum does not include TCP/IP overhead or packet
retransmission.
Bytes Out Sum of Exchange-related data that the server sends to the client after
compression. This sum does not include TCP/IP overhead or packet
retransmission.
Client Versions A list of all distinct versions of MAPI clients that are used. The versions
that are listed are the version of EMSMDB32.dll.
Client IP Addresses A list of all distinct IP addresses that are used by MAPI clients.
Note The IP addresses that are listed in this column are the IP address
after any proxy servers or network address translation. They might not
be the MAPI client's actual IP address.
Read Pages The count of 4-KB ESE pages that are read from an Exchange database
file. This count might not equal the exact number of Physical Disk I/Os
that are requested because of splitting and coalescing of I/Os.
Using Exchange Server User Monitor 7

Column Name Column Description

PreRead Pages The count of 4-KB ESE pages that are opportunistically read from an
Exchange database file. This count might not equal the exact number of
physical disk I/Os that are requested because of splitting and coalescing
of I/Os.
Pages Dirtied The count of 4-KB ESE pages that are updated by Exchange Server.
Updates occur in memory and are physically written to storage later.
This count might not equal the exact number of physical disk I/Os that
are requested because of splitting and coalescing of I/Os.
Log Bytes The count of bytes written to the Jet transaction logs. This count might
not equal the exact number of physical disk I/Os that are requested
because of splitting and coalescing of I/Os.

Displaying Data in the By Version View

The By Version view aggregates data about the client version. This view is useful to evaluate the overall load
that is generated by the various versions of MAPI clients. Table 2 shows the types of data that are displayed in
the By Version view.

Table 2 Data Displayed in the By Version view

Column Name Column Description

Version The version of the MAPI client. The version reported
reflects the version of EMSMDB32.dll.
Packets The count of RPC packets that have been processed
by the server.
Operations The count of operations that is contained in RPC
packets. Generally, Exchange Server assembles
operations together to reduce network overhead.
CPU Time (ms) Sum of processing time consumed and reported in
milliseconds. 1000 milliseconds corresponds to 1
second of 100 percent processor utilization or to 2
seconds of 50 percent processor utilization (and so
on).
CPU % The percentage of store CPU, not total processor
CPU, consumed by the MAPI version.
Avg. Server Latency (ms) The average amount of time that Exchange Server
spends processing, retrieving data from disk, and
communicating with the Active Directory global
catalogs and domain controllers.
Max. Server Latency (ms) The maximum time Exchange Server that spends
processing, retrieving data from disk, and
communicating with Active Directory global catalogs
and domain controllers.
Using Exchange Server User Monitor 8

Column Name Column Description

Bytes In Sum of Exchange-related data that the server receives
after compression. This sum does not include TCP/IP
overhead or packet retransmission.
Bytes Out Sum of Exchange-related data that the server sends to
the client after compression. This sum does not
include TCP/IP overhead or packet retransmission.

Displaying Data in the By Clientmon

View
The By Clientmon view aggregates data that helps administrators quantify individual users' experience with
Outlook 2003 and later versions. Table 3 shows the types of data that are displayed in the By Clientmon view.
Note Only Outlook 2003 provides data. Earlier versions of Outlook will not contribute data to this
view.

Table 3 Data Displayed in the By Clientmon view

Column Name Column Description

User Name The display name of the user.
Note In the case of Delegate Access or a shared
mailbox, the user name corresponds to the actual
user, not the mailbox.
Note The blank user name indicates system usage
and use of clients that have not successfully
authenticated.
Succeeded RPC Count The count of succeeded RPC calls that client-side
monitoring reports about Outlook 2003.
Avg. Client Latency (ms) The average of per-RPC roundtrip times as seen by
the MAPI client. This time includes all network
transit, queuing, and processing time.
Max. Client Latency (ms) The maximum per-RPC roundtrip time as seen by the
MAPI client. This time includes all network transit,
queuing, and processing time.
Avg. Foreground Client Latency (ms) The average of per-RPC roundtrip times as seen by
the MAPI client that will cause the Outlook user
interface to stop responding. This does not include all
possible scenarios that could cause Outlook to stop
responding. This time includes all network transit,
queuing, and processing time.
Note This field requires that Exchange Server 2003
is running SP1 or later versions, and that the MAPI
clients are running Outlook 2003 SP1 or later
versions.
Using Exchange Server User Monitor 9

Column Name Column Description

Max. Foreground Client Latency (ms) The maximum per-RPC roundtrip time as seen by the
MAPI client that will cause the Outlook user
interface to stop responding. This does not include all
possible scenarios that could cause Outlook to stop
responding. This time includes all network transit,
queuing, and processing time.
Note This field requires that Exchange Server 2003
is running SP1 or earlier versions, and that the MAPI
clients are running Outlook 2003 SP1 or earlier
versions.
Cached Mode Sessions The count of separate RPC connections that are using
Outlook 2003 Cached Exchange Mode.
Note Users who are using Cached Exchange Mode
across all their computers have a Cached Exchange
Mode session count that equals their session count. If
a user's Cached Exchange Mode session count is less
than the session count, the user is running multiple
computers or is using Cached Exchange Mode and
classic online access at the same time.
Client Processes The list of distinct names of processes that the user
uses to access Exchange Server. Outlook is reported
as Outlook.exe. Third-party applications might also
be listed here. An example of another application
might be wcesmgr.exe, which is the ActiveSync
application. ActiveSync provides synchronization to
some mobile devices.

Exporting ExMon Data

ExMon supports the export of data from all data views. It exports the data to comma-separated text files (.csv).
The exported data can be used by several programs, including Microsoft Excel, Microsoft Access, and
Microsoft SQL™ Server.

To export By User data to a .csv file

1. Click Start, click Run, and then type cmd to open a Command Prompt window.
2. At the command prompt, type exmon.exe –SU "[Drive:][Path]OutputFileName" "[Drive:]
[Path]InputFileName"
Tip You can export multiple files at the same time by combining the –SU, -SV, and –SC options.
However, you must export each one to a separate output file.
 Using Exchange Server User Monitor 10

ExMon Syntax

This section provides examples of the exmon command and explanations of the parameters.
exmon.exe
exmon.exe "[Drive:][Path]InputFileName"
exmon.exe /h
exmon.exe /?
exmon.exe [/{SU|SV|SC} "[Drive:][Path]OutputFileName" "[Drive:][Path]InputFileName"

Command Parameters Function

/? or /h Displays help at the command prompt
/SU "[Drive:][Path]OutputFileName" Exports the By User view to a .csv file
/SV "[Drive:][Path]OutputFileName" Exports the By Version view to a .csv file
/SC "[Drive:][Path]OutputFileName" Exports the By Clientmon view to a .csv file

Interpreting ExMon Data

Several factors, such as time of day, usage patterns, server load, server configuration, and server load, can
cause variations in the data that is collected and displayed in ExMon. An administrator can best understand any
data by comparing it with baseline data that is collected during normal operations.
The following sections describe the data that is displayed in some of the data columns and how that data
reflects some of the underlying factors that could influence the overall results. To successfully work with the
ExMon data, you must have a clear understanding of your Exchange deployment.

CPU Time
The data displayed in the CPU Time (ms) column represents the processing time that Store.exe requires to
process all requests. Some operations require more processing than others. For example, sophisticated searches
and large data exports require more processing time than viewing of a single mail item. CPU time is reported
in milliseconds of processing time, which depends on the server hardware. For example, one millisecond of
processing time on a 1000-MHz processor is equal to approximately two milliseconds of processing time on a
500-MHz processor.
Using Exchange Server User Monitor 11

Server Latency
The data displayed in the server latency columns documents the time that is required to process user requests.
This time includes CPU processing time, time waiting for disk I/Os, and time waiting because the server is
busy and is processing other user requests.
Each operation requires a different proportion of processing time and disk I/O time. Overall server latency for
all user requests is reported by the Performance Monitor (Perfmon) count for averaged MSExchangeIS\RPC
latency. ExMon enables you to view this data for individual users.
Individual users' server latencies can vary widely from the average. You can obtain more accurate results by
gathering long traces over more than 30 minutes or even over several hours.

Client Latency
The data displayed in the Avg. Client Latency (ms) column is a superset of the CPU time and the server
latency. Client latency includes not only server latency, but also any network delay that is caused by issues
with the network, packet retransmission, and network bandwidth.
For users who use Outlook without Cached Exchange Mode, high client latency times directly affect how
frequently Outlook is unresponsive. ExMon reports client latency for each request, while Outlook may require
multiple requests to complete an operation. This means that the client latency reported by ExMon provides a
lower bound to the responsiveness that users may experience. Generally, if the minimum client latency is
consistently more than 100 milliseconds, the user experiences poor responsiveness in Outlook in traditional
online mode. An individual client latency over five seconds invokes the Cancelable RPC dialog box in
Outlook 2002 for Office XP.
Improvements in Outlook 2003 with Cached Exchange Mode help hide this latency from the user and enable
site consolidation by moving many important tasks, such as reading and sending mail, to the background.
When a user is using Outlook 2003 Cached Exchange Mode, consistent average client latencies of
500 milliseconds or more can be hidden from the user. With client latencies of more than 1000 milliseconds
and low network bandwidth, users may benefit from Cached Exchange Mode that is configured to download
only mail headers.

Foreground Client Latency

Foreground client latency is a measure of specific types of Outlook requests. These specific types are
operations that are not in the background. For example, updating rules, browsing public folders, and delegate
access are not optimized to use background communication. The Avg. Foreground Client Latency (ms) data
informs administrators about operations that cause client unresponsiveness. To understand the overall effect on
the user, make sure that you compare the approximate percentage of foreground packets to all packets.

Network Bytes
The network bytes columns document the amount of data and control codes that are sent to and from Exchange
Server. This count includes only Exchange-related data and does not include data that is related to TCP/IP
overheads, packet retransmission or packet loss, RPC encryption, RPC over HTTP, or Internet Protocol
security (IPSec). However, it does account for compression that is used by Exchange Server 2003, and
Outlook 2003 and later versions.
 Using Exchange Server User Monitor 12

The amount of network traffic depends heavily on the usage profile. The Outlook message formats HTML,
RTF, and plain text all vary widely in size. Also, the number and size of attachments and the time of day
affects the amount of network traffic. To more accurately measure network usage, use longer monitoring
periods.

Frequently Asked Questions

Q: How much disk space is required for ExMon data collection?

A: File size depends on the Exchange server load. You can estimate required file size by looking at the
Perfmon counter, MSExchangeIS\RPC Operations\sec, as the file size per hour. For example, a server that has
an average RPC Operations\sec of 300 requires 300 MB per hour of free space for ExMon data collection.
Q: How long should I collect ExMon data?
A: Tracing time depends on user activity and how you want to use the data. For good averages across all users,
it is recommended that you collect data for at least 30 minutes during a period of expected user activity. Some
client monitoring data is collected only at certain intervals. Therefore, collecting data for longer may increase
the probability of more complete data. When you troubleshoot individual users and problems, traces of one to
five minutes are generally sufficient.
Q: Does ExMon support non-English languages of Exchange Server 2003 and the Windows operating
system?
A: Yes. ExMon can be run with any language that is supported by Exchange Server and any language that is
supported by Windows. ExMon supports Unicode display names for users. However, the ExMon tool interface
and documentation are available only in English.
Q: How does ExMon data collection affect Exchange server performance?
A: The effect of data collection on Exchange Server is less than a two percent increase in CPU or latency. To
minimize the effect, you should not collect data on a hard disk drive that is currently being used by Exchange,
such as the database, streaming, log file, or queue drives. Also note that ExMon tracing uses a Windows
technology known as Event Tracing for Windows (ETW). ETW was designed especially for performance
tracing and is used by core parts of Windows. As a result, the effect on the server is less than two percent
additional processing time and a negligible additional latency.
Q: Because ExMon data is collected with ETW, can I write my own data parser?
A: No, you currently cannot write your own data parser. The raw data requires a significant amount of analysis
to produce meaningful data.
Q: Why does ExMon display only part of a user's display name?
A: Because of limitations in the tracing and parsing code, ExMon truncates user display names to 32
characters.
Q: Why are some data columns blank?
A: Some data columns are blank because some servers do not provide some information. ExMon can view data
on Exchange Server 2000 SP2 and later versions, and Exchange Server 2003 SP1 and later versions. Since the
release of Exchange Server 2000, significant changes have been made. ExMon supports data files from all
Using Exchange Server User Monitor 13

these servers, although not all the data is available. For example, the Foreground Latency column in the By
Clientmon view requires Exchange Server 2003 SP1. It also requires that users also have Outlook 2003 SP1.
Q: How can I collect data on Exchange that is running on Clustering Services for Microsoft Windows?
A: Tracing ExMon data on Exchange servers that use Cluster Service is difficult because you care about
collecting data for a specific virtual server instead of data from just a physical node. A cluster failover during a
data collection session causes incomplete data. By collecting on shorter intervals, such as five minute intervals,
on every node of the cluster, you can minimize the amount of data that is lost if there is a failover. Both System
Monitor and Tracelog.exe provide functionality to create intervals based on file size instead of time. You can
also write a script to run on cluster failovers, and start and stop the appropriate data collections.
Q: Why doesn't ExMon display data when I have passed in an input file?
A: You may be able to resolve this issue by performing the following tasks:

• Make sure that you put the path and file name in double quotation marks if the path or file name contains a
space.
• ExMon must run on Windows Server 2003 or later versions if the Event Trace Log (.etl) file was collected
on Windows Server 2003 or later versions.
• Verify that the Exmon.reg file was applied before you began collecting data. For instructions on how to
apply the Exmon.reg file, see Installing ExMon earlier in this document.