How to trace IIS worker process requests - iis

I need to be able to monitor requests from IIS w3wp processes.
How can I see IIS worker process Requests?

To trace all requests currently executing in IIS worker processes
Open a command window and type logman startsession name–p "IIS:
Request Monitor" -ets and press ENTER.
Event Tracing for Windows prints to the screen details about the
trace session you just started, including the name of the session,
the file name where the trace data will be collected (session
name.etl by default), and whether or not the command was successful
Allow the trace session to run until you have reproduced the problem
or until your sites have processed enough requests to produce a
manageable data set
From the command prompt, type logman stopsession name-ets and press
ENTER.

I'm not as experienced on Windows vs Linux so Ravindra's answer seems interesting (is this just scheduling a particular event viewer style session or actually logging out deeper?).
As you particularly ask about 'IIS worker process Requests' you have two options.
GUI
Open inetmgr, go to the root server level, go to Worker Processes and double-click the worker process of your choice. A new screen will load and you will see anything that worker is currently processing.
Command-line
Rather than just give you a single command to copy and paste this article is a great starter - http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
The particular command you want is under the section 'INSPECTING CURRENTLY EXECUTING REQUESTS'

Related

Using windows task scheduler how can i execute my exe file after IIS RESET

I have a scenario where i need to execute .exe after IIS reset. In windows task scheduler we can get option to run execitable file for some condition where we can select IIS configuration/ log and can provide event id to match.
I search couple of option but did not find any.
Can anybody suggest - how can i run my executable file after IIS reset happens using task scheduler.
As per this link,
3201 is start
3202 is stop
3201 IIS start command received from user %1. The logged data is the status code.
3202 IIS stop command received from user %1. The logged data is the status code.
Since, IISReset is a stop and start operation, you can have the trigger based on the start event, i.e., 3202.
Your task trigger will be like this:
You can cross-check the event viewer for the events from IISReset

IIS7.5+ : Is it the correct way to describe Application Initialization feature?

Recently we want to cater the slow loading problem of IIS for first request, after I did some research, I've found that IIS7.5+ has a feature named "Application Initialization" which maybe what I need.
However I have to understand the mechanism before I try to apply it and here is my understanding:
With default IIS setting:
The application pool idle after 20 minutes
The corresponding worker process is killed
First request comes in
IIS starts to create a new worker process
IIS starts to load the application
The client can see after application is loaded
And step 4, 5 makes first request not so responsive.
With Application Initialization set:
The application pool idle after 20 minutes
The corresponding worker process is killed
IIS starts to create a new worker process
IIS starts to load the application through a "fake" request
First request comes in
The client can see after application is loaded
Now the first request is responsive as indeed it is not the first request to the server, sometimes before there was a "fake" request which kicks loading of the application.
What I would like to know is that:
Is my understanding correct?
When application initialization is set, the worker process is still being killed, but a new one is created right after it, is it the case?
That's pretty much how it works. Without Application Initialization, as you mentioned, once the worker process is killed, it is not restarted until a request is sent to it. Upon the first request, a new worker process (W3WP.exe) is started and it starts to load the application. And this cold start of the application is what typically makes the first request less responsive. For eg. if it's an ASP.NET application, the first request triggers the recompilation of the temporary ASP.NET files and this can take several seconds in a moderately large enterprise application.
If you look at the setup of Application Initialization, you will see that there are two main parts to it:
You need to set the startMode of the application pool associated with the website to AlwaysRunning
You need to set preloadEnabled to true on some path (path to the website) on the ApplicationPool
Step 1 is what tells IIS to automatically restart the IIS worker process whenever there is a reboot or IISReset. (You can easily see this in action in TaskManager - do only step 1 and do an IISReset, you should be seeing the existing W3WP.exe process getting removed and a new one is getting created)
Step 2 is what tells IIS to make the initial fake/dummy request that will do all the required initialisation of your web application. For eg. for an ASP.NET application, this essentially will trigger the compilation of all the ASP.NET files, so that the next request - the actual first request to the page does not experience the long delays associated with app initialisation.
While it is true that a traditional approach of keeping using a script to poll the app to prevent it from going idle can do the job, the ApplicationInitalization module makes the job much easier. You can even have IIS issue the dummy request to a custom warmup script that does much more than a simple page load - preloading a cache of several webpages, ahead of time generate/do any task that might otherwise take longer etc.
Official documentations here:
IIS 7.5
IIS 8.0
Your understanding is correct based on my experiences. I first ran into this capability in a performance testing scenario way back in 2014. I was custom coding the ping portion of this into monitoring jobs :O
"The Application Initialization Module basically allows you to turn on
Preloading on the Application Pool and the Site/IIS App, which
essentially fires a request through the IIS pipeline as soon as the
Application Pool has been launched. This means that effectively your
ASP.NET app becomes active immediately, Application_Start is fired
making sure your app stays up and running at all times." - Rick Strahl
Official detailed docs are on the MSDN site, from what I see not much has changed between IIS 7.5 and 8.0 in the way of config.

Long running process remote termination?

I am developing an application that allows users to run AI algorithms on the server remotely. Some of these algorithms take a VERY long time. It is set up such that AJAX calls supply the algorithm parameters and launch a C++ algorithm on the server. The results and status of the computation are tracked via AJAX calls polling status files. This solution seems to work well for multiple users concurrently using the service, but I am now looking for a way to cancel the computation from the user's browser. I have a stop button that stops the AJAX updating service and ceases any communication between the browser and the running process on the server. The problem is that the process still runs, and I would like to free up the server resources when the user cancels the operation. Below are some more details.
The web service where the AJAX calls hit are run under the user 'tomcat' and can be listed by ps -U tomcat. The algorithm executions are all child processes of 'java' and can be listed by ps --ppid ###.
The browser keeps a record of the time that the current computation began (user system time, not server system time).
Multiple computations may be going on at once from users connected from different locations, resulting in many processes under the same name and parent process.
The restful service executes terminal commands via java runtime.exec().
I am not so knowledgeable about shell scripting, so any help would be greatly appreciated. Can anyone think of a way to either use java process object or shell script/awk to locate a process via timestamp (maybe the closest timestamp to user system time..?) or some other way?
Thanks in advance.
--edit
Is there even a way in java to get a handle for a given process if you have the pid...? Doesn't seem like it.
--edit
I cannot change the source code of the long running process on the server. :(
Your AJAX call should be manipulating some sort of a resource (most conveniently a text file) that acts as a semaphore to the process, which in every iteration of polling checks whether that semaphore file has been set to the stop status. If the AJAX changes the semaphore file to stop, then the process stops because your application checks it and responds accordingly. Which in turn means that the functionality needs to be programmed into your Java AI application rather than figuring out what the PID is and then killing it at the OS level. That, of course, assumes you have access to the source code of the app.
Of course, the semaphore does not have to be a file but can be a value in the DB etc., whichever suits your taste and configuration.
I have finally found a secure solution. From the restful java service, using Process p = Runtime.getRuntime().exec() gives you a handle on the running process. The only way, however, to get the pid is through a technique called reflection.
Field f = p.getClass().getDeclaredField();
f.setAccessible(true);
String pid = Integer.toString(f.getInt(p));
How unbelievably awkward...
Anyways, due to the passing of p from the server to the client being impossible, and the insecurity of allowing a remote call to kill an arbitrary server process by a pid passed by parameter, the only logical strategy I could come up with was to write the obtained pid to a process-unique file indicated by the initial client timestamp, and to delete this file upon restful service function return. This unique file can be used as a termination handle via yet another restful service which reads the file, and terminates the process with pid equal to the contents of the file. This
You could keep the Process instance returned by runtime.exec and invoke Process.destroy to kill the subprocess. Not knowing much about your webservice application I would assume you can keep the process instances in a global session map that maps users to process lists. Make sure access to this map is thread-safe. Also it only works if you have one webservice process that allows to share such a global session map across different requests.
Alternatively take a look at Get subprocess id in Java.

Windows - see active ETW sessions so that I can close one of them

I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it.
Basically I do ::StartTrace([out] handle...) and do not close that handle when I'm finished with it (closing done by using ::StopTrace() function)
I'm looking for a tool that shows me the active sessions so I can close it manually. Without it I have to restart my PC in order for the controller session to be closed at shutdown.
Also, i the same ETW area (on Win 7), I understand that I should be able to see the data layouts for public MOF descriptions using wbemtest.exe. There I am supposed to enter in
- Connect -> Namespace = \\root\wmi\EventTrace
to see MOF data. But I get "The RPC server is unavailable". Using in that screen the dafaults values: IWBemLocator(Namespaces), How to interpret passsword = null, Authentication level = packet.
In the credentials area I have user and Password (which I tried) but there is another empty field - Authority. Is there a way to see MOF data ? I runed this elevated under Win 7.
You can use the command logman query -ets to see a list of currently running Trace Event Sessions.
For example, on Windows 10, you will see something like this:
C:\>logman query -ets
Data Collector Set Type Status
-------------------------------------------------------------------------------
AppModel Trace Running
FaceRecoTel Trace Running
FaceUnlock Trace Running
LwtNetLog Trace Running
Microsoft Security Client WMI Providers Trace Running
NtfsLog Trace Running
TileStore Trace Running
WiFiSession Trace Running
SCM Trace Running
UserNotPresentTraceSession Trace Running
CldFltLog Trace Running
SHS-05042018-095434-7-5f Trace Running
WDSC-05042018-095434-7-20 Trace Running
Diagtrack-Listener Trace Running
8696EAC4-1288-4288-A4EE-49EE431B0AD9 Trace Running
Cloud Files Diagnostic Event Listener Trace Running
The command completed successfully.
If you have created you own session, for example by using Microsoft.Diagnostics.Tracing.Session.TraceEventSession,
you will have given the session a unique name, and if it is running, you should see it in the list.
To kill an existing session, do this, as an administrator:
logman stop <SessionName> -ets
There are also some PowerShell Cmdlets, that can do similar things.
The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.
May I suggest to post the second part of your question as a seperate question?
The tracelog command line utility that comes along the Windows SDK allows you to do the same thing as QueryAllTraceswith the tracelog -l command.

what is meant by "failure" in IIS rapid fail protection?

according to the the IIS documentation the rapid fail protection once activated leads to the deactivation of an application pool if a "failure" occurs. However, I could not find the definition of the "failure" case. In my web application I have a special exception that I would like the IIS to consider it as a "failure".
Does anyone have an idea? Thanks
This appears to have a list, for Server 2003 at least: http://web.archive.org/web/20130511004652/http://technet.microsoft.com/en-us/library/cc787273(WS.10).aspx
The WWW service shuts down an application pool whenever a worker
process in the application pool fails often enough to equal or exceed
the Rapid-Fail Protection (RFP) interval time window (for example:
five failures in five minutes). The WWW service detects failure
whenever:
A worker process does not start within the startup time limit.
A worker process does not shut down within the shutdown time limit.
A worker process shuts itself down because of a fatal error and sends
the WWW service an error code.
A worker process fails to respond to a ping message.
The WWW service detects that a worker process is sending non-standard
communications (the worker process may have been taken over).
(updated with archive.org to fix broken link, and replicated detail here)
The documentation for configuring rapid fail protection alludes to a "failure" meaning a worker process crash.
Through experimentation I've noticed that you should expect something like the following in Windows Event Application Logs for a w3wp.exe crash:
An unhandled exception occurred and the process was terminated.
Application ID: /LM/W3SVC/1/ROOT
Process ID: 2628
Exception: System.SomeUnhandledException
Indeed with rapid fail protection enabled with the default configuration, 5 such events within 5 minutes of each other cause the application pool to stop, and you'll see a further Windows Event Application Log similar to:
Application pool 'my-test-application-pool' is being automatically
disabled due to a series of failures in the process(es) serving that
application pool.

Resources