Systems Admin

Schedule a Nightly PerfMon Capture: Data Collector Set + BLG Analysis

11 min read Part of pathway: Windows Server Administration

Most live PerfMon use is interactive — open the console, drop a few counters in, watch the graph, close. The interactive view answers “what is happening right now,” but doesn’t answer “what was happening at 02:30 last Tuesday when the application was slow.” For that, you need a scheduled capture: a Data Collector Set that opens at a chosen time, records the counters you care about into a binary log file (.blg), stops on its own after a configured duration, and leaves the file on disk for offline analysis whenever you get to it. This post walks the lab’s 22:30-to-23:00 nightly capture of CPU + Memory utilisation, the schedule + permissions configuration that makes it fire unattended, and the analysis options once the BLG lands.

What you need before starting

  • Windows Server (or any Windows release with the Performance Monitor console — even Windows 11 Pro)
  • Local administrator rights on the target machine
  • An admin-or-service account to run the scheduled capture as (the schedule has to run as someone)
  • An idea of which counters and what time window you actually need — the more specific the question, the smaller the BLG and the easier the analysis

The shape of a Data Collector Set

A Data Collector Set (DCS) is a saved bundle of:

  • Counters to capture — one or more performance counters from the same provider universe you’d use for live PerfMon. Plus optionally event-trace providers and config snapshots, but for typical CPU/memory work just counters.
  • Sample interval — how often the counters are read (default 15 seconds). Tune down to 1 second for high-resolution incident captures; tune up to 60 seconds for long-running baseline collections.
  • Destination — where the BLG file lands. Default %SystemDrive%\PerfLogs\<set-name>\; override per set.
  • Schedule — when the capture starts and on which days.
  • Stop condition — when the capture stops (after N minutes, or when the BLG hits N MB, etc.).
  • Security context — which account the scheduler runs as.

Save the DCS once, schedule it, and the scheduler engine handles the rest.

Step 1 — Open Performance Monitor

Run dialog (Win+R) → type perfmon → Enter. The Performance Monitor MMC opens.

Run dialog with perfmon typed in the Open field ready to launch the Performance Monitor MMC snap-in
perfmon from Run launches the Performance Monitor MMC. Same console hosts the live counters and the Data Collector Set scheduling we’re about to use.

Expand Data Collector Sets → User Defined in the left pane. System sub-tree above it holds the built-in collector sets (Active Directory Diagnostics, System Diagnostics, etc.); ignore those for now.

Step 2 — Create the Data Collector Set

  1. Right-click User DefinedNewData Collector Set. The wizard opens.
  2. Name the set something searchable. The lab uses CPU_Memory_1030_to_11PM — the embedded time window makes it easy to find the right BLG later when there are dozens of saved sets.
  3. Pick Create manually (Advanced). The other option (Create from a template) is useful if you have an existing DCS export to clone; for one-off captures, manual is simpler.
  4. Click Next.
Performance Monitor left pane expanded to Data Collector Sets > User Defined with the right-click context menu open showing the New > Data Collector Set entry highlighted” /><figcaption><em>User Defined → New → Data Collector Set</em> — the entry point for any custom capture. Built-in collector sets ship under <em>System</em>; ours lives here.</figcaption></figure> <figure class=Create New Data Collector Set wizard Name page with the value CPU_Memory_1030_to_11PM entered and the Create manually Advanced radio selected
Wizard naming page. CPU_Memory_1030_to_11PM is the lab’s convention — embed the capture window in the name so you can find the right BLG later. Create manually (Advanced) exposes the counter-picker.

Step 3 — Pick the counters

  1. On the “What type of data do you want to include?” page, tick Performance counter. Skip the others.
Create New Data Collector Set wizard What type of data do you want to include page with Performance counter ticked
Counter-source page. Performance counter is what we want for live OS metrics. The other types (Event trace data, System configuration information) are for ETW providers and registry snapshots respectively.
  1. Click Next. The Add Counters dialog appears.
  2. For the headline CPU number, expand the Processor performance object → pick % Processor Time → pick the _Total instance. Click Add.
  3. For the headline memory number, expand Memory → pick % Committed Bytes In Use. Click Add.
Add Counters dialog with Processor Performance object expanded and the % Processor Time counter selected with _Total instance plus Memory > % Committed Bytes In Use queued in the Added counters pane” /><figcaption>Counter selection — <code>Processor → % Processor Time → _Total</code> for the host-wide CPU number, plus <code>Memory → % Committed Bytes In Use</code> for the headline memory pressure metric. Add others if you need per-disk, per-NIC, per-process detail.</figcaption></figure> <p>Add anything else you need at this stage — per-disk IO via <em>PhysicalDisk</em>, per-NIC throughput via <em>Network Adapter</em>, per-process CPU via <em>Process → % Processor Time → *</em> if you want every running process tracked. Each counter adds rows to the eventual BLG; don’t over-collect or the analysis becomes painful.</p> <p>Confirm the sample interval (default 15 seconds is fine for a 30-minute capture; consider 5 seconds for shorter incident windows). Click Next.</p> <h2>Step 4 — Pick the save location</h2> <p>Default is <code>%SystemDrive%\PerfLogs\<set-name>\</code>. Override if you have a dedicated diagnostics volume or if the BLG might grow large enough to fill the system drive. Click Next.</p> <figure class=Where would you like the data to be saved page showing the default C colon backslash PerfLogs path with browse button to change
Save-location page. The default C:\PerfLogs\<set-name>\ is fine for most labs; pin to a different volume if you expect long-running captures with large BLG files.

Step 5 — Save and close (don’t auto-start)

The wizard asks whether to start the set immediately. Pick Save and close — we want the schedule to be the trigger, not a wizard click. Click Finish.

Create the Data Collector Set wizard final Save and close radio selected with Finish button enabled
Run-mode page. Save and close registers the set without starting it — we want the schedule to be the trigger, not an immediate run.

The DCS appears under User Defined in the left pane.

Performance Monitor left pane showing the new CPU_Memory_1030_to_11PM Data Collector Set listed under User Defined and selected
New Data Collector Set landed under User Defined. The schedule isn’t set yet; the next step adds it.

Step 6 — Add the schedule

  1. Right-click the new DCS → Properties.
  2. Switch to the Schedule tab.
  3. Click Add. In the schedule dialog:
    • Beginning date: today (or whenever you want the first run).
    • Start time: 10:30:00 PM (or whatever window you’re targeting).
    • Days: tick the days the schedule should fire.
  4. Click OK.
Data Collector Set Properties dialog Schedule tab with the Folder Action create-schedule sub-dialog open showing Beginning date today plus Start time 10:30:00 PM with all weekdays selected
Schedule tab → Add. Pick a start time (the lab uses 22:30) and the days you want it to fire. The schedule writes a Task Scheduler entry behind the scenes; you can confirm it under Task Scheduler Library → Microsoft → Windows → PLA.

Behind the scenes, this writes a Task Scheduler entry under Task Scheduler Library → Microsoft → Windows → PLA (Performance Logs and Alerts). You can confirm it shows up there if you want belt-and-braces evidence the schedule landed.

Step 7 — Set the stop condition

  1. Switch to the Stop Condition tab in the same Properties dialog.
  2. Tick Overall durationStop after → set the value (the lab uses 30 minutes for a 22:30–23:00 capture).
  3. Click OK.
Data Collector Set Properties dialog Stop Condition tab with the Overall duration Stop after checkbox ticked and the value set to 30 minutes
Stop Condition tab. Without an explicit stop, the capture runs until you stop it manually — on a long-running setup that fills disks. The lab uses 30 min; tune to the window you actually want to analyse.

Without a stop condition, the capture runs until you manually stop it — on long-running setups that quietly fills disk. Always set a stop condition equal to the window you actually want to analyse.

Step 8 — Run-as account and SYSTEM permissions

  1. Properties → Security tab.
  2. Set Run as to an admin or service account that has access to the counters and the destination folder. The default System works for local-machine-only counters; remote captures or non-default counter providers may need a specific identity.
  3. Tick Run whether user is logged on or not.
  4. Confirm SYSTEM has Full Control on the set so the scheduler can fire it unattended.
Data Collector Set Properties dialog Security tab showing the Group or user names list and the Run as field set to a domain admin account with the change-password button
Security tab — Run as a service account that has access to the target counter set. Tick Run whether user is logged on or not for unattended capture, otherwise the Task Scheduler dependency hits the same problem as the General-tab logged-on requirement.
Data Collector Set Properties dialog Security tab with the Permissions for SYSTEM area showing Full Control granted via the Allow column ticks
Same Security tab — ensure SYSTEM has Full Control on the set so the scheduled trigger can fire even when no admin is interactively logged on.

Same gotcha as scheduled tasks generally — the run-as account needs the “Log on as a batch job” user right on the local machine. Built-in admins have it; service accounts you bring in via GPO need it explicitly granted.

Step 9 — Wait for the capture, then read the BLG

Come back after the schedule window ends. Open the save folder:

C:\PerfLogs\CPU_Memory_Test\

You should see a .blg file with an auto-incrementing suffix (so successive runs don’t overwrite each other). Filename pattern: <set-name>_<NNNNNN>.blg.

File Explorer at C colon backslash PerfLogs backslash CPU_Memory_Test showing the resulting CPU_Memory_1030_to_11PM_NNNNN.blg binary log file written by the scheduled capture
Result of the scheduled capture — a .blg binary log file in the configured folder. The filename embeds a counter that increments per capture so successive runs don’t overwrite.

Open in PerfMon

  1. In Performance Monitor, File → Open (or drag the BLG into the console).
  2. The captured data renders as a line graph by default.
  3. Switch to Report view via the toolbar icon for a tabular Min/Max/Avg layout per counter — usually easier to read than the graph.
Performance Monitor with the BLG file opened showing the CPU and Memory line graph over the captured 30-minute window with the Report view option in the toolbar
Open the BLG in PerfMon and the captured data renders as graphs. Report view (toolbar icon) switches to a tabular Min/Max/Avg layout that’s usually easier to read than the line graph.

Quick stats via Properties → Data

  1. Right-click inside the graph → Properties.
  2. Switch to the Data tab.
  3. The columns Minimum / Maximum / Average are populated per counter for the loaded BLG window.
Performance Monitor Data tab in the Properties dialog showing the Minimum, Maximum, and Average columns populated for the % Processor Time and % Committed Bytes In Use counters
Properties → Data tab on the loaded BLG — the Min/Max/Avg columns give the headline numbers without needing Excel.
Same Data tab fully populated showing the average CPU and memory values calculated from the recorded BLG sample window
Same Data tab fully populated — the canonical way to read the captured window without opening Excel or running relog.

This is the canonical way to read a BLG without opening Excel.

Optional: convert BLG to CSV for Excel analysis

For deeper analysis (per-sample averages, percentile calculations, custom windowing) the relog command-line tool exports a BLG to CSV:

relog "C:\PerfLogs\CPU_Memory_Test\CPU_Memory_1030_to_11PM_000001.blg" -f CSV -o C:\PerfLogs\output.csv

Open output.csv in Excel. Each counter is a column; each sample is a row. AVERAGE() / MAX() / PERCENTILE.INC() formulas all work on the columns. Useful for the questions Properties → Data can’t answer (e.g., “what was the 95th percentile CPU during the window?”).

Things that bite people in production

Forgetting the stop condition fills the disk

Without an Overall Duration stop, the capture runs until you manually stop it. On a busy server with high-cardinality counters (per-process, per-disk), the BLG grows by tens of MB per minute. A weekend of unattended capture can push hundreds of GB of BLG. Always set a Stop condition.

Sample interval below 1 second produces unstable timing

The PerfMon counter API isn’t designed for sub-second sampling — the OS scheduler can’t guarantee tight timing at that resolution, and you get jittered intervals that mess up percentile calculations. Stick to 1+ second intervals; for higher resolution, use ETW providers via xperf instead of PerfMon counter sets.

Run-as account permissions silently break captures

If the configured Run-as account doesn’t have Log on as a batch job right or doesn’t exist anymore (an old admin account that’s been deleted), the scheduled capture starts but produces no BLG — the Task Scheduler entry just fails silently. Verify periodically by checking the save folder for fresh BLGs after expected schedule windows.

BLG files don’t auto-rotate

Each scheduled run produces a new BLG with an incrementing suffix; the old ones stay forever. Without cleanup, the save folder grows without bound. Either set a manual rotation policy (a separate scheduled task that deletes BLGs older than N days) or use Windows’ built-in Storage Sense to clean up.

Counter paths are localised in non-English Windows

The counter Processor → % Processor Time is named in the system display language — on a Spanish Windows install it’s Procesador → % Tiempo de procesador. DCS export/import across languages can fail to find the counters. Microsoft documents the locale-neutral counter names; use those for portable DCS definitions.

The relog conversion to CSV is single-threaded and slow

For multi-GB BLG files, relog CSV conversion is single-threaded and CPU-bound — can take half an hour or more. For large captures, either filter to a sub-set of counters (relog -c "\Processor(_Total)\% Processor Time" ...) before conversion, or use the -q SQL output mode and query directly.

Where this fits

Scheduled PerfMon captures are part of broader Windows server diagnostics. For the Task Scheduler that backs the schedule, see Task Scheduler General tab and Trigger tab. For broader Windows Server admin context, the Windows Server administration pathway covers the rest of the surface area.

Tags: #BLG #Data Collector Set #PerfMon #Performance Monitor #relog #Windows Server

Leave a Reply