Method and apparatus for analyzing performance of data processing system

Abstract

A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Claims

We claim:

1. A system for analyzing the performance of a data processing system comprising:

a control station that analyzes events, the control station specifying at least one trigger condition;

an event concentrator, coupled to the control station, that collects events and detects the at least one trigger condition; and

a store, coupled to the event concentrator, that stores events until the detection of the at least one trigger condition, whereupon the stored events are sent to the control station.

2. The system of claim 1, wherein the store comprises a circular buffer, and the control station specifies a number of events to store in the buffer.

3. The system of claim 1, wherein the control station specifies two trigger conditions and a Boolean relation between the trigger conditions.

4. The system of claim 1, wherein the event concentrator collects events at a first rate before the at least one trigger condition occurs and wherein when the at least one trigger condition occurs, the event concentrator begins collecting events at a second rate, the second rate being higher than the first rate.

5. The system of claim 1, wherein the control station specifies a reset condition, and wherein the event concentrator monitors for the reset condition.

6. The system of claim 5, wherein events cease being sent to the control station after the event concentrator detects the reset condition.

7. The system of claim 6, wherein, upon occurrence of the reset condition, the event concentrator reverts to collecting events and monitoring for the at least one trigger condition.

8. The system of claim 1, wherein the store utilizes data compression for storing the events.

9. The system of claim 1, wherein the event concentrator utilizes data compression for sending the events.

10. The system of claim 1, wherein the control station specifies at least one filter and the event concentrator collects events in accordance with the at least one filter.

11. The system of claim 10, wherein the control station specifies a first filter and a second filter, and the event concentrator collects events in accordance with the first filter until the at least one trigger condition occurs, whereupon the event concentrator collects events in accordance with the second filter.

12. The system of claim 11, wherein, the control station specifies a reset condition, and upon occurrence of the reset condition, the event concentrator reverts to collecting events in accordance with the first filter and monitoring for the at least one trigger condition.

13. A method for analyzing the performance of a data processing system that produces events and that comprises a control station that analyzes events, an event concentrator, and a store, the method comprising:

specifying at least one trigger condition;

collecting events while monitoring for the at least one trigger condition;

storing events collected by the event concentrator; and

sending the stored events to the control station upon the occurrence of the at least one trigger condition.

14. The method of claim 13, wherein a COM event comprises the at least one trigger condition.

15. The method of claim 13, wherein a condition for which an event is created comprises the at least one trigger condition.

16. The method of claim 13, further comprising collecting events at a first rate before the at least one trigger condition occurs and collecting events at a second rate after the at least one trigger condition occurs.

17. The method of claim 13, further comprising specifying a reset condition, and monitoring for the occurrence of the reset condition.

18. The method of claim 17, further comprising ceasing to send events to the control station when the reset condition is detected.

19. The method of claim 17, further comprising reverting to collecting events and monitoring for the at least one trigger condition, upon occurrence of the reset condition.

20. The method of claim 13, further comprising utilizing data compression for storing the events.

21. The method of claim 13, further comprising utilizing data compression for sending the events.

22. The method of claim 13, further comprising specifying at least one filter.

23. The method of claim 22, further comprising specifying a first filter and a second filter, the event concentrator collecting events in accordance with the first filter until the occurrence of the at least one trigger condition and then collecting events in accordance with the second filter.

24. The method of claim 23, further comprising upon detecting a reset condition, collecting events in accordance with the first filter and monitoring for the at least one trigger condition.

25. A computer-readable medium comprising computer-executable instructions for analyzing the performance of a data processing system that produces events and that comprises a control station that analyzes events, an event concentrator, and a store, the computer-executable instructions comprising instructions for:

the control station specifying at least one trigger condition;

the event concentrator collecting events while monitoring for the at least one trigger condition;

the store storing events collected by the event concentrator; and

the event concentrator sending the stored events to the control station upon the occurrence of the at least one trigger condition.

26. A system for analyzing the performance of a data processing system comprising:

a control station that analyzes events, the control station specifying at least one trigger condition;

an event concentrator, coupled to the control station, that collects events and detects the at least one trigger condition; and

a store, coupled to the event concentrator, that stores events until the detection of the at least one trigger condition, whereupon at least one of the stored events and an alert signal are sent to the control station.

27. A system in accordance with claim 26, wherein an alert signal is sent to the control station upon the detection of the at least one trigger condition.

Description

TECHNICAL FIELD

This invention relates generally to data processing and, more particularly, to a method and apparatus for analyzing the performance of a data processing system.

COPYRIGHT NOTICE/PERMISSION

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the U.S. Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright .COPYRGT. 1997-1999, Microsoft Corporation, All Rights Reserved.

BACKGROUND OF THE INVENTION

In the field of data processing it is a well known problem that software developers usually require a period of time to identify and resolve functional and performance issues in the code they have written or integrated. There can be many reasons for such issues, including the basic system and software architecture; non-optimized and/or flawed coding; the choice of, utilization of, and contention for system resources; timing and synchronization; system loading; and so forth.

Particularly in the area of distributed computer networks, it can be extremely difficult for software developers to observe and isolate undesirable system performance and behavior. A distributed computer network is defined herein to mean, at a minimum, a data processing system that utilizes more than one software application simultaneously or that comprises more than one processor.

For example, a single box or machine which is running two or more processes, such as a data base application and a spreadsheet application simultaneously, fulfills this definition. Also, a single article such as a hand-held computer may comprise more than one microprocessor and thus fulfills the definition.

More commonly, however, distributed computer networks may comprise two or more physical boxes or machines, often hundreds or even millions (in the case of the Internet). A software developer trying to monitor and analyze the operation and behavior of such complex computer networks is faced with a very daunting task.

For example, a developer may be writing or have written a server component that performs credit checks. This software component is used in a larger application that performs order entry processing. There are several other server components in the system (such as inventory verification, order validation, etc.) some of which run on the same server and some which run on a separate server (where the inventory database resides). To complicate matters, each component could reside on a computer system in a different state or country. If the application is not performing or behaving well, the developer needs to figure out if there is a performance or behavioral problem and, if so, be able to determine exactly where the trouble spots are.

In the prior art the developer had to modify his or her application, by writing trace statements in the code and having the application write to a log file what was going on at different places in the network. Then all of the log files would need to be collected, merged, and sorted. The developer would then have to sift through the data in a time-intensive fashion and attempt to determine the performance problem.

There are several serious deficiencies with the prior approach.

One problem is that only instrumented code can be analyzed. That means source code must be modified, recompiled, and re-deployed. This is a serious issue with the widespread use of operating system services and component technology in today's applications. Users are typically unable to recompile operating system and third party components, because they do not have physical or legal access to the source code. When they do have access to the source code, they are still unable to instrument them effectively, because they do not understand the component source code that they do have.

Another problem is that the modifications to code made by developers in an attempt to analyze its performance themselves adversely impact the application's performance. Further, the development of a highly efficient mechanism for recording the application data is non-trivial. Typical implementations involve writing data to disk. Even if the input/output (I/O) is buffered asynchronously, it can have an adverse impact on the application being monitored (e.g. masking actual application I/O).

A further problem is that understanding control flow during transitions is very hard. Typically, in a large distributed application, transitions to separate processes, or to processes running on separate machines, are common, and may happen simultaneously. Since events have to be manually merged by the developer, it is typically hard to determine which suspension in one process corresponds to resumption in another.

An additional problem is that frequently there are a large number of application areas that might need to be analyzed; however, not all of them may need to be analyzed at the same time. Developers who manually instrument their code must incorporate a selection technology to enable different portions to be analyzed. Otherwise, the load of all of the instrumentation has a severe impact on the analysis. This also requires a complex mechanism for developers to specify which information to collect on which machine.

Yet another problem is that for distributed applications, logs from multiple machines (and often multiple logs per machine) must be merged and sorted. Without synchronized clocks, this task is very difficult. As well, if the log files are in different formats (which is likely if they are from different developers or companies), then the data must be translated into common formats.

The result of all the effort described in this section is a very long list of analysis data. Manually analyzing and isolating performance problems from this amount of data is a very complex and difficult task.

One further problem with known performance analysis of data processing systems is that very often such analysis provides opportunities for breaching the data security of such systems.

There exists known performance monitoring software in various forms. Among them is software known as PerfMon software, which is commercially available from Microsoft Corporation. PerfMon software is a utility which, among other things, can provide an indication of the utilization of the computer's central processor unit (CPU) and memory unit. PerfMon software operates by sampling. That is, it tracks continuous data by monitoring a machine and looking at its behavior. It can track the free space on a disk, monitor network usage, and so on, but it cannot gather event-based information, such as what function was most recently started.

There also exist known tools called profilers. These look at a single executing software application and try to understand its performance. They do this either by monitoring the program (in a similar way to PerfMon software), or else they hook into the program they are monitoring and generate "events" each time a program subcomponent (function) commences or completes. Profilers typically have a massive impact on the performance and behavior of an application, because they are intrusive, and they typically require special compiler support. Their data is so detailed that it is normally impractical to use them, particularly in a distributed computing environment such as the one described above.

The Windows NT.RTM. PerfMon utility, commercially available from Microsoft Corporation, provides an extensible architecture for the collection and display of arbitrary application and system counters and metrics. Windows NT provides base counters for the system for the purpose of monitoring CPU and memory utilization. It also provides counters for networks, disks, devices, processes, and so forth. Most system objects export counters. Many applications available from Microsoft Corporation (such as MTS and SQL Server) and other suppliers provide additional counters.

Therefore, there is a substantial need to provide software developers with automated tools for efficiently analyzing the performance, function, and behavior of their applications.

There is also a substantial need to provide such developers with tools for analyzing the performance, function, and behavior of their applications, either while the applications are executing or post mortem, and without significantly affecting the performance or data security characteristics of the applications

In addition, there is a substantial need, in a commercial environment, to provide Application Program Interfaces (APIs) to such tools.

SUMMARY OF THE INVENTION

The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention, which will be understood by reading and studying the Detailed Description of the Invention. However, a brief summary of the invention will first be provided.

The present invention includes a number of different aspects for analyzing the performance of a data processing system. For the purposes of describing this invention, the term "performance" is intended to include within its meaning not only the operational performance, but also the function, structure, operation, and behavior of a data processing system.

While the invention has utility in analyzing the performance of a software application that is executing on a distributed data processing system, its utility is not limited to such, and it has utility in analyzing the performance of computer hardware, computer software of all types including data structures, and a wide spectrum of data processing systems comprising both computer hardware and computer software.

Insofar as the overall architecture and operation of the present invention is concerned, each machine where a portion of a distributed software application executes has at least one local event concentrator (LEC). In addition, there is at least one in-process event creator (IEC) and at least one dynamic event creator (DEC) per machine. The function of an IEC is to monitor the executing process for particular situations that occur which the developer wants to be monitored and to create an "event" that can be captured and later analyzed. The function of a DEC is similar to that of an IEC, but it monitors some aspect of the system operation that the developer wants to be monitored on a periodic or time basis and creates an "event" that can also be captured and later analyzed.

The developer can specify by means of a "filter" what to look for in the system under examination. This narrows the scope of the search to what is of interest to the developer and reduces the burden on the performance monitoring system.

When the IEC and DEC create events, they send them to the LEC, which collects them and temporarily stores them, either until the developer requests them or a developer-defined condition or "trigger" occurs, whereupon the LEC sends the events to the developer's control station. The control station analyzes the events and visually displays the results of the analysis to the developer in a multi-windowed, time-synchronized display.

In order to prevent the collection of information from adversely affecting the performance of the system, the IEC and DEC are only active when they are carrying out the developer's orders to monitor certain things. Otherwise they are dormant and do not affect the performance. When an IEC is activated and is monitoring process execution for particular situations, it creates a stream of events during "normal" execution and sends them to the LEC. However, the LEC doesn't send them through the network to the developer's control station until they are needed.

In another aspect of the invention, a data design structure allows two communicating entities to describe their interactions and inter-relationships despite knowing almost nothing about each other. The data design structure includes pre-defined event fields and custom fields, and it breaks up the application into a series of black boxes and maps out the entities of the network and their inter-relationships for displaying to the developer an animated model of the application as it is executing, either in real time or "post mortem".

In another aspect, the invention provides for user-defined triggers which cause the performance analysis software to passively buffer events until a malfunction occurs, then dump the buffered data and analyze it. This allows low-impact monitoring, since no information is stored until something of interest happens.

In another aspect, the invention comprises filter reduction features with which the developer can specify exactly what information within the network is of interest. Filter reduction is used to narrow the scope of the filter to extract only the information of interest and hence reduce the performance impact of monitoring.

In another aspect, the invention comprises filter combination features with which different users can specify individual filters that can be combined. The LEC can be multi-threaded and combine filters submitted by multiple users.

In another aspect, the invention comprises a filter user interface which is a graphical representation of the machines, entities, and events making up the network. The user can easily pick those of interest, using displayed lists and Boolean operator tabs, or can simply write an order in text format which is converted to the appropriate filter.

In another aspect, the invention comprises APIs for registration, in-process event creators, dynamic event creators, and other functions implementing the various aspects of the invention.

In another aspect, the invention provides for the automatic generation of an animated application model of the process under examination. A dynamic diagram of the application is automatically displayed as the various constituents interact. A video cassette recorder (VCR) paradigm is used to "play, replay, stop, pause, change speed, and reverse" the display, to enable the user to see what's happening as the application executes.

In another aspect, the invention provides for automatic, synchronized display of all performance analysis data. A number of user-customized, synchronized display windows show the constituent parts of the application execution and the corresponding performance characteristics, in both Gantt chart and graphical modes, either in real-time or post-mortem. A timeline window displays a visual representation of the timing of all related events. A summary window displays a distillation of the system performance during a user-selected time slice.

In another aspect, the invention provides suitable data security mechanisms throughout the network being monitored. Discretionary access is applied to the collection of data from a specific machine.

The present invention describes systems, clients, servers, methods, and computer-readable media of varying scope. In addition to the aspects and advantages of the present invention described in this summary, further aspects and advantages of the invention will become apparent by reference to the drawings and by reading the Detailed Description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is pointed out with particularity in the appended claims. However, other features of the invention will become more apparent and the invention will be best understood by referring to the following Detailed Description in conjunction with the accompanying drawings in which:

FIG. 1 illustrates a hardware and operating environment in conjunction with which embodiments of the invention can be practiced;

FIG. 2 illustrates a system-level overview of an exemplary embodiment of the invention;

FIG. 3 illustrates a machine-level overview of an exemplary embodiment of the invention;

FIG. 4 illustrates in schematic fashion pre-defined event fields and custom fields, which are included in an event packet within an exemplary embodiment of the invention;

FIG. 5 illustrates a transition between two entities within the hardware and operating environment;

FIG. 6 is a table which illustrates how pre-defined event fields are used to establish a relationship between a source and a target entity;

FIG. 7 illustrates in schematic fashion how events selected by a user are monitored.

FIG. 8 illustrates a process of filter reduction as used within an exemplary embodiment of the invention;

FIG. 9 illustrates a process of filter combination as used within an exemplary embodiment of the invention;

FIG. 10 illustrates another process of filter combination as used within an exemplary embodiment of the invention;

FIG. 11 illustrates a screen print of an exemplary user interface for specifying a filter;

FIG. 12 illustrates a system level overview of an exemplary embodiment showing where APIs of the present invention can appear within the software architecture of a distributed computing system;

FIG. 13 illustrates a screen print of an animated application model which the present invention generates to show the structure and activity of an application whose performance is being studied;

FIG. 14 illustrates various user interface features of an animated application model in an exemplary embodiment of the invention;

FIG. 15 illustrates a representative display of performance data in an exemplary embodiment of the invention;

FIG. 16 illustrates a screen print of an exemplary display of performance data;

FIG. 17 illustrates screen print of a timeline display of performance data;

FIG. 18 illustrates a screen print of summary display of performance data;

FIG. 19 illustrates a screen print of several synchronized sets of performance data;

FIGS. 20A-C is a flowchart of a method illustrating an exemplary embodiment of overall data collection architecture and how data is collected via the IECs, DECs, and LECs;

FIGS. 21A-B is a flowchart of a method illustrating an exemplary embodiment of overall data design and how the VSA determines and maps relationships between entities;

FIGS. 22A-B is a flowchart of a method illustrating an exemplary embodiment of triggers;

FIGS. 23A-B is a flowchart of a method illustrating an exemplary embodiment of filter reduction;

FIGS. 24A-B is a flowchart of a method illustrating an exemplary embodiment of filter combination;

FIGS. 25A-B is a flowchart of a method illustrating an exemplary embodiment of a user interface for specifying one or more filters;

FIGS. 26A-C is a flowchart of a method illustrating an exemplary embodiment of automatic generation of an animated application model; and

FIGS. 27A-C is a flowchart of a method illustrating an exemplary embodiment of a user interface for displaying the performance analysis of the system under examination.

DETAILED DESCRIPTION OF THE INVENTION

In the following Detailed Description of exemplary embodiments of the invention, reference is made to the accompanying drawings that form a part hereof, and which show by way of illustration specific exemplary embodiments in which the invention can be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It is to be understood that other embodiments can be utilized and that logical, mechanical, electrical, and other changes can be made without departing from the spirit and scope of the present invention. The following Detailed Description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims.

The Detailed Description is divided into six sections. In the first section, a Glossary of Terms is provided. In the second section, an Exemplary Hardware and Operating Environment in conjunction with which embodiments of the invention can be practiced is described. In the third section, a System Level Overview of the invention is presented. In the fourth section, Exemplary Embodiments of the Invention are provided. In the fifth section, Methods of Exemplary Embodiments of the Invention are provided. Finally, in the sixth section, a Conclusion of the Detailed Description is provided.

Glossary of Terms

The following section provides definitions of various terms used in the Detailed Description:

ADO--ActiveX.RTM. Data Objects, a high-level programming interface from Microsoft Corporation for data objects which can be used to access different types of data, including web pages, spreadsheets, and other types of documents. It is designed to provide a consistent way of accessing data regardless of how the data is structured.

API--Application Program Interface, a language and message format used by an application program to communicate with the operating system, middleware, or other system program such as a database management system. APIs are generally implemented by writing function calls in the application program, which provide the linkage to a specific subroutine for execution. Operating environments typically provide an API so that programmers can write applications consistent with the operating environment.

COM--Component Object Model, a component software architecture from Microsoft Corporation which defines a structure for building program routines or objects that can be called up and executed in a Microsoft Windows.RTM. operating system environment.

DCOM--Distributed Component Object Model, developed by Microsoft Corporation, it is an extension of the Component Object Model (COM), which enables object-oriented processes distributed across a network to communicate with one another.

Entity--a functional component in a data processing system, such as a client, server, or data source.

GUID--a Globally Unique Identifier within a data processing system. Within the present invention it is used to identify, for example, a COM object, an event source, an event, an event category, and any other system object that requires guaranteed unique identification from multiple independent generators.

Machine--a minimal data processing system comprising at least a processor and a memory, the processor executing software instructions which are stored in the memory.

Middleware--a category of processes between the application itself and backend processes such as databases, network connections, and so forth. Applications that run on currently available operating systems typically require services above and beyond those provided by the operating system. These services are often no longer written by the application developer but by a third party (which can be the operating system vendor). The term "middleware" indicates the position of these common services within the software architecture relative to the application.

MTS--Microsoft Transaction Server (MTS), a feature of the Microsoft Windows NT Server.RTM. operating system that facilitates the development and deployment of server-centric applications built using Microsoft's Component Object Model (COM) technologies.

NTS--Windows NT Server.RTM., a version of the Microsoft Windows.RTM. operating system. There are currently two commercially available versions of Windows NT: Windows NT Server.RTM., designed to act as a server in networks, and Windows NT Workstation.RTM. for stand-alone or client workstations.

PerfMon--Performance Monitor, a utility provided with Microsoft Corporation's Windows NT.RTM. operating system which enables the performance monitoring of all services running on a system.

RPC--Remote Procedure Call, a programming interface that allows a program on one computer to execute a program on a server computer. Using RPC, a system developer need not develop specific procedures for the server. The client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed.

Windows.RTM. operating system--an operating system commercially available from Microsoft Corporation for several different computing platforms.

Exemplary Hardware and Operating Environment

FIG. 1 illustrates a hardware and operating environment in conjunction with which embodiments of the invention can be practiced. The description of FIG. 1 is intended to provide a brief, general description of suitable computer hardware and a suitable computing environment with which the invention can be implemented. Although not required, the invention is described in the general context of computer-executable instructions, such as program modules, being executed by a computer, such as a personal computer (PC). This is one embodiment of many different computer configurations, some including specialized hardware circuits to analyze performance, that can be used to implement the present invention. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.

Moreover, those skilled in the art will appreciate that the invention can be practiced with other computer-system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network personal computers ("PCs"), minicomputers, mainframe computers, and the like. The invention can also be practiced in distributed computing environments where tasks are performed by remote processing devices linked through a communications network. In a distributed computing environment, program modules can be located in both local and remote memory storage devices.

FIG. 1 shows a general-purpose computing or information-handling system 80. This embodiment includes a general purpose computing device such as personal computer (PC) 20, that includes processing unit 21, a system memory 22, and a system bus 23 that operatively couples the system memory 22 and other system components to processing unit 21. There may be only one or there may be more than one processing unit 21, such that the processor computer 20 comprises a single central-processing unit (CPU), or a plurality of processing units, commonly referred to as a parallel processing environment. The computer 20 can be a conventional computer, a distributed computer, or any other type of computer; the invention is not so limited.

In other embodiments other configurations are used in PC 20. System bus 23 can be any of several types, including a memory bus or memory controller, a peripheral bus, and a local bus, and can use any of a variety of bus architectures. The system memory 22 may also be referred to as simply the memory, and it includes read-only memory (ROM) 24 and random-access memory (RAM) 25. A basic input/output system (BIOS) 26, stored in ROM 24, contains the basic routines that transfer information between components of personal computer 20. BIOS 26 also contains start-up routines for the system.

Personal computer 20 further includes hard disk drive 27 having one or more magnetic hard disks (not shown) onto which data is stored and retrieved for reading from and writing to hard-disk-drive interface 32, magnetic disk drive 28 for reading from and writing to a removable magnetic disk 29, and optical disk drive 30 for reading from and/or writing to a removable optical disk 31 such as a CD-ROM, DVD or other optical medium. Hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to system bus 23 by a hard-disk drive interface 32, a magnetic-disk drive interface 33, and an optical-drive interface 34, respectively. The drives 27, 28, and 30 and their associated computer-readable media 29, 31 provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data for personal computer 20. Although the exemplary environment described herein employs a hard disk, a removable magnetic disk 29 and a removable optical disk 31, those skilled in the art will appreciate that other types of computer-readable media which can store data accessible by a computer can also be used in the exemplary operating environment. Such media may include magnetic tape cassettes, flash-memory cards, digital video disks (DVD), Bernoulli cartridges, RAMs, ROMs, and the like.

In various embodiments, program modules are stored on the hard disk drive 27, magnetic disk 29, optical disk 31, ROM 24 and/or RAM 25 and can be moved among these devices, e.g., from hard disk drive 27 to RAM 25. Program modules include operating system 35, one or more application programs 36, other program modules 37, and/or program data 38. A user can enter commands and information into personal computer 20 through input devices such as a keyboard 40 and a pointing device 42. Other input devices (not shown) for various embodiments include one or more devices selected from a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 21 through a serial-port interface 46 coupled to system bus 23, but in other embodiments they are connected through other interfaces not shown in FIG. 1, such as a parallel port, a game port, or a universal serial bus (USB) interface. A monitor 47 or other display device also connects to system bus 23 via an interface such as a video adapter 48. In some embodiments, one or more speakers 57 or other audio output transducers are driven by sound adapter 56 connected to system bus 23. In some embodiments, in addition to the monitor 47, system 80 includes other peripheral output devices (not shown) such as a printer or the like.

In some embodiments, personal computer 20 operates in a networked environment using logical connections to one or more remote computers such as remote computer 49. Remote computer 49 can be another personal computer, a server, a router, a network PC, a peer device, or other common network node. Remote computer 49 typically includes many or all of the components described above in connection with personal computer 20; however, only a storage device 50 is illustrated in FIG. 1. The logical connections depicted in FIG. 1 include local-area network (LAN) 51 and a wide-area network (WAN) 52, both of which are shown connecting PC 20 to remote computer 49; typical embodiments would only include one or the other. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

When placed in a LAN networking environment, PC 20 connects to local network 51 through a network interface or adapter 53. When used in a WAN networking environment such as the Internet, PC 20 typically includes modem 54 or other means for establishing communications over network 52. Modem 54 may be internal or external to PC 20 and connects to system bus 23 via serial-port interface 46 in the embodiment shown. In a networked environment, program modules depicted as residing within PC 20 or portions thereof may be stored in remote-storage device 50. Of course, the network connections shown are illustrative, and other means of establishing a communications link between the computers can be substituted.

Software can be designed using many different methods, including object-oriented programming methods. C++ and Java are two examples of common object-oriented computer programming languages that provide functionality associated with object-oriented programming. Object-oriented programming methods provide a means to encapsulate data members (variables) and member functions (methods) that operate on that data into a single entity called a class. Object-oriented programming methods also provide a means to create new classes based on existing classes.

An object is an instance of a class. The data members of an object are attributes that are stored inside the computer memory, and the methods are executable computer code that act upon this data, along with potentially providing other services. The notion of an object is exploited in the present invention in that certain aspects of the invention are implemented as objects in some embodiments.

An interface is a group of related functions that are organized into a named unit. Some identifier can uniquely identify each interface. Interfaces have no instantiation; that is, an interface is a definition only without the executable code needed to implement the methods that are specified by the interface. An object can support an interface by providing executable code for the methods specified by the interface. The executable code supplied by the object must comply with the definitions specified by the interface. The object can also provide additional methods. Those skilled in the art will recognize that interfaces are not limited to use in or by an object-oriented programming environment.

System Level Overview

FIG. 2 illustrates a system-level overview of an exemplary implementation of the invention. The invention has utility in the area of data processing, where it can be used to analyze the performance of a data processing system, and in particular application software, whether under development, undergoing testing, or in full utilization. The invention is commercially available from Microsoft Corporation as the "Visual Studio".RTM. development system or "Visual Studio Analyzer".RTM.. In addition, certain portions of the invention are provided within the Microsoft Windows.RTM. operating system.

The "Visual Studio" development system collects application data by use of instrumentation within the application environment in an efficient, distributed collection architecture. Any application built with any development tool can be automatically analyzed and diagnosed, provided it uses standard middleware and operating system components. There is no requirement for any changes to the application itself.

As mentioned in the Background section earlier, distributed data processing systems can be relatively simple or extremely complex. The developer of software operating on a distributed data processing system is usually faced with serious challenges in understanding the functional operation and behavior of such software as it is executing.

The system illustrated in FIG. 2 is a globally distributed system in which different machines 100, 102, 104, 106, and 108 are physically located on several different continents. These machines are shown as interconnected via hardwire, fiber-optic cable, radio frequency, or other suitable links 130, 132, 134, and 136 in an arbitrary network arrangement spanning a large portion of the globe. The difficulties in understanding and trouble-shooting systems of this complexity have been significant until the present invention.

The present invention enables complex distributed applications to be readily understood and analyzed, notwithstanding that the machines on which they are running may be thousands of miles apart, and notwithstanding that the developer may not have access to source code for the underlying software upon which his or her application is running.

With reference to FIG. 2, the box identified as VSA 100 is a control and display station that comprises computer hardware and software. VSA 100 is coupled to one or more machines, e.g. machines 102, 104, 106, and 108. Each machine includes a Local Event Concentrator (LEC) 112,152. One LEC is provided per physical machine, although in a different implementation more could be provided if desired. VSA 100 activates an LEC when it wants that LEC to start collecting events, and VSA 100 deactivates an LEC when it wants it to stop collecting events. In addition to VSA 100, other client machines can also activate or deactivate an LEC 112 or 152.

Each LEC 112, 152 is coupled to a respective process space 110, 150. Each process space 110, 150 can each comprise a group of In-process Event Creators (IECs), such as IECs #1.1 through #1.N in group 110.

Each LEC 112, 152 is further coupled to a respective process space 114, 154. Each process space 114, 154 can each comprise a group of Dynamic Event Creators (DECs), such as DECs #1.1 through #1.N in group 114. Process spaces 110 and 114 can be identical or different for machine 104; likewise for the process spaces 150, 154 associated with machine 106. While all DECs are shown in FIG. 2 as residing in process spaces 114, 154, in one embodiment DECs that capture global machine state (such as PerfMon data) reside only within the LEC process space.

Machine-level Overview

FIG. 3 illustrates a machine-level overview of an exemplary embodiment of the invention. In FIG. 7 three major portions of the process space of a machine are shown in the form of Applications 190, Operating System 191, and Additional Components 192.

In one aspect, the invention comprises one local event concentrator (LEC) 199 for each machine. Applications portion 190 has an IEC 193 associated with it; Operating Systems portion 191 has an IEC 195 associated with it; and Additional Components portion 192 has an IEC 197 associated with it.

There is at least one dynamic event creator (DEC) per machine, such as DEC 189, which is in the process space of LEC 199. It will be apparent to one of ordinary skill in the art that DECs could be provided for each portion 190, 191, 192 of the machine's process space. This is shown in FIG. 3 by DEC boxes 194, 196, 198 having dashed lines.

Events created by IECs 193, 195, 197 and DECs 189, 194, 196, 198 are collected by LEC 199. The LEC 199 collects events generated by the IECs and DECs and sends these events to the user's control station, VSA 100, for analysis and display in a user-determined format.

IECs and DECs reside in the process space of data sources within a machine, and they "report on" these data sources. They each do this by creating events that are sent to and collected by the LEC. They are active only when the user is interested in knowing about these events and in understanding the system performance.

IECs and DECs differ in their purpose. An IEC creates an event when a user-specified condition (other than time-valued data) occurs. An example could be "a COM event in Machine A". A DEC, on the other hand, creates an event to reflect data whose value is measured on a periodic or time basis. An example could be PerfMon data reflecting CPU utilization.

As mentioned in the Summary section above, the system described herein for analyzing the performance of a data processing system is a comprehensive one with many different aspects, each of which will now be described in the section below entitled Exemplary Embodiments of the Invention.

Exemplary Embodiments of the Invention Collection, Capture & Transmission of Data

Data collection begins in the IECs. An IEC is a subroutine that marshals the desired data into a special format and puts it in a shared memory buffer. As mentioned above, IECs reside in the process space of a data source.

An IEC exports two main functions: IsActive and FireEvent. The IsActive function is used by data sources to determine if any analysis is being performed against a particular data source. When a piece of code reaches a point of interest, the IsActive function is called, which returns True or False as to whether or not anyone is interested. If the IsActive status condition is set True for a particular data source, the FireEvent function is used to dispatch an event to the centralized collection system of the requesting user. If IsActive returns False, an entity can reduce any adverse performance impact by not formatting data for FireEvent. The FireEvent function is implemented in both a synchronous and an asynchronous manner in the present invention.

When an LEC has been activated by the VSA 100, it can turn an IEC on or off, i.e. it switches its IsActive status to True or False. That Boolean status is maintained in the process, so there are really never any in-process transitions, and the code never changes. When IsActive is True, events are generated. When the VSA 100 user wants to stop monitoring events, everything can be quickly disconnected. IsActive is set to False, and the application never changes.

Also, when an LEC has been activated by VSA 100, it can turn a DEC on or off, depending upon whether the DEC is to collect events. When a DEC is to stop collecting events, an LEC simply turns it off. As for IECs, an LEC starts and stops DECs as specified by a user-specified filter, as will be discussed further below.

Instead of turning individual IECs on and off, a portion of the IECs or all of the IECs can be turned on or off. The same applies to other structures of the invention, including DECs and LECs.

To improve system-wide efficiency, the operating system or middleware defers the creation of an IEC until the user actually begins collection of events. IECs are only created for users who desire to monitor system performance. They are automatically created when needed. This ensures that, if the system is not under analysis, the performance impact of operating the performance analyzer is negligible. Additionally, the system is able to remove all of the IECs from memory when analysis completes, so that a system wherein analysis has finished behaves with the same characteristics as before performance began, unlike many traditional tools.

IECs and DECs are created by the operating system, middleware, and application components that are sourcing the events. The creation of an IEC will now be described. Assume that a middleware entity wants to fire events. It asks the operating system to create an IEC. The operating system creates an IEC "reference", ready for the IEC in case the user wants to start monitoring data. When the user wants to start monitoring data, the LEC tells the operating system to convert the IEC "reference" into a real IEC. The operating system converts all the IEC references into real IECs the first time they are used.

Events from IECs in process spaces 110, 150 are passed to a respective LEC 112,152 via shared memory buffers. This allows the event to be communicated without requiring a process context switch. Each IEC has its own buffer in shared memory, to ensure that conflicts between events and locking do not distort system performance.

In one currently implemented embodiment there is only one LEC per machine. It collects events from all IECs in all processes on the system that are being analyzed, and it sends the desired events back to the VSA 100. Since this communication is likely to be cross-machine, an efficient batching mechanism is used to reduce network traffic, and transmission is scheduled for low-system load times. To ensure efficient dispatch of events across the network, the LEC process runs at a lower than normal priority. This means that events will tend to be flashed across the network when the machine is not busy running the real application or when the real application is blocked, e.g., when it is waiting for data to be read from disk. To further reduce performance impact, events from many IECs are collected together and will not be sent more than some fixed period of time, e.g. every one-half to one second in one embodiment. If the number of events to be sent exceeds the buffering capacity, events will either be sent immediately or thrown away, depending upon a setting made at the control station.

Communication between the VSA 100 and the LECs also exists to establish clock skews so that event times throughout the distributed application can be synchronized. Any known clock skew calculators can be used for this purpose.

A DEC is similar to an IEC except that it deals with data whose value can be measured continuously, and whose values need to be recorded at regularly scheduled intervals. To reduce system complexity and increase flexibility in handling data, these "measured" events are treated internally just like events that are triggered by the system's behavior. This allows collection, synchronization, and analysis of both event-driven and time-driven data.

As opposed to an IEC which reports on the occurrence of events (i.e. "this thing happened"), a DEC gathers information on a time basis, such as memory usage within the system, not necessarily events coming from within the application. For example, a DEC might every second measure the memory usage of the system and send back an event that says "current memory usage is 2 megabytes". A DEC could also report on disk usage or CPU usage. A DEC could be created within the application itself to measure application-specific parameters such as, for example, the number of queries currently executing within a database system or the number of words currently misspelled in a word-processing document. Generally speaking, a DEC can measure any continuously varying data, i.e., anything which could be represented by a graph.

The VSA 100 collects all reported information and stores it in an efficient centralized store. The centralized store can simply be a data file in which data is organized in a certain way, i.e. a memory-mapped file. Other embodiments of an efficient data store could be a relational database, an in-memory data structure, a regular file, or any other suitable structure which can handle large volumes of data with an efficient access time.

Once written to, it can be read many times. Data is organized so it's easy to write, since incoming data volume can be very high, and also so it's easy to read directly from disk, since dataset size will typically preclude loading all data into memory.

Since data collection for one embodiment of the invention doesn't involve a multiple update problem, this was taken into consideration in designing the data structure. File-mapped memory buffers were used so that information could be quickly retrieved from disk and stored into memory in an efficient way. Thus the system is able to receive potentially many thousands of events per second. It is stored on disk in the order that it arrives.

It will be apparent to one of ordinary skill in the art that the present invention is equally applicable to a distributed system in a single machine. A single machine can be running more than one process, for example an operating system and a data base application.

It will further be apparent to one of ordinary skill that if the performance cost of a context switch is not of great concern, then it could in fact be carried out, provided that one appropriately factors it into the performance analysis.

It will be appreciated that just because the LEC is collecting something doesn't mean that it is necessarily what the VSA user wants. As will be explained below, user-specified filtering can occur in the IEC or in the LEC to reduce the information. In addition, the LEC, in a currently implemented embodiment, can buffer all or a substantial portion of the information that it sends out to the VSA, so it sends bursts on the network rather than continuous traffic. In addition, it can also run as a lower priority, so it's buffering up all of the information rather than directly slowing down the application. In addition, it can further compress data to reduce network overhead.

Operation of VSA

The operation of the VSA will now be described. When an application starts up, the operating system software or the "middleware" that the application is using creates an IEC reference, and if there's an LEC on the system the IEC reference hooks itself up to the LEC. However, if no one is analyzing the system yet, there will be no LEC yet, and the IEC reference will remain unhooked up.

Then the IEC reference goes into quiescent mode. The application keeps running, and nothing special is going on to slow it down.

Now, if someone wants to analyze what's going on, they turn on the VSA 100, and they indicate that they want to hook up to a particular machine, so it turns on an LEC on that system. That LEC connects to all of the IECs on that system, and it starts any DECs, for example to monitor CPU usage. DECs measure and report on time-based interval events, while IECs watch for and report on the occurrence of events. It will be apparent to one of ordinary skill that while the LEC is created by the VSA 100 in a currently implemented embodiment, it could be automatically created when the first IEC reference exists.

The VSA user specifies what information is to be collected. That information is broken down per machine and passed to the LEC for each machine. The LEC then breaks that down, per IEC, and basically turns the IECs on or off where appropriate. When IsActive is set True in an IEC, it is no longer quiescent, and that IEC starts sending collected data to its associated LEC. When the user shuts down the VSA, the IECs, DECs, and LECs revert back to their quiescent states.

The interface between the VSA and an LEC can operate under DCOM. Everything else can run under COM, except for the shared memory communication between the IEC and the LEC. The IEC writes information into a shared memory buffer and never takes a process context switch. COM is used basically only for initialization.

A third party developer is able to write a COM interface for its application and use the VSA to analyze its performance. It doesn't have to link any additional libraries.

Data Design--Pre-defined Event Fields and Custom Fields

FIG. 4 illustrates in schematic fashion pre-defined event fields and custom fields, which are included in an event packet within an exemplary embodiment of the invention. Pre-defined event fields are generally always present in an event packet, whether the user specifies them or not. Custom fields can also be assigned by a user. In the invention each event may include a number of pre-defined or standard pieces of information, as well as custom or arbitrary user-specified information. This information becomes important when filter reduction occurs, as will be described further below.

As shown in FIG. 4, a VSA event comprises pre-defined event fields 160 and custom fields 162. Not all pre-defined event fields have to be provided for every event. Pre-defined event fields 160 enable the data structure of the invention. If the user doesn't specify pre-defined event fields, intelligent default values are automatically provided for them.

Custom fields 162 can be generated by the user, but none of them is essential to the data design.

What distinguishes pre-defined event fields from custom fields is that pre-defined event fields have pre-defined semantics and are therefore useable by the analysis mechanism to determine the interrelationship among events. Without pre-defined event fields, the analysis mechanism would be unable to make any reasonable deductions about the events and would only be able to provide a useless list of events. Further, the set of pre-defined event fields is optimized for effective and efficient analysis. The specific names and functions are described in Table 1 below.

Some important pre-defined event fields are the Machine, Process, Entity (referred to as "Component" in Table 1 below and in the APIs ), Instance (referred to as "Session" in Table 1 below and in the APIs), and Handle fields, both for the Source as well as for the Target. Their use will be explained in greater detail below.

Pre-defined event fields are listed in Table 1 below:

                             TABLE 1
                     Pre-Defined Event Fields
                         Arguments
                         CausalityID
                         CorrelationID
                         DynamicEvent Data
                         Exception
                         ReturnValue
                         SecurityIdentity
                         SourceComponent
                         SourceHandle
                         SourceMachine
                         SourceProcess
                         SourceProcessName
                         SourceSession
                         SourceThread
                         TargetComponent
                         TargetHandle
                         TargetMachine
                         TargetProcess
                         TargetProcessName
                         TargetSession
                         TargetThread
                         Time
                         Entity
                         Instance

                             TABLE 2
                   Pre-Defined Event Categories
                           All
                           Call/Return
                           Measured
                           Query/Result
                           Start/Stop
                           Transaction

                             TABLE 3
                           Event Types
        Begin/End - correspond to a set of events that surround an action.
        Default - for a default event (or unspecified event type).
        Generic - for a simple event (not a grouped event).
        Measured - for DEC events.
        Outbound/Inbound - for call/return events. Outbound means the
        transition is "out" of the component. Inbound means the
        transition is "into" the component.

                             TABLE 4
                Pre-Defined Events and Categories
          Event                Category          Type
          Call                 Call/Return       Outbound
          Call Data            Call/Return       Outbound
          Component Start      Start/Stop        Begin
          Component Stop       Start/Stop        End
          Enter                Call/Return       Inbound
          Enter Data           Call/Return       Inbound
          Events Lost          Transaction       Generic
          Leave Data           Call/Return       Outbound
          Leave Exception      Call/Return       Outbound
          Leave Normal         Call/Return       Outbound
          Query Enter          Query/Result      Inbound
          Query Leave          Query/Result      Outbound
          Query Result         Query/Result      Inbound
          Query Send           Query/Result      Outbound
          Return               Call/Return       Inbound
          Return Data          Call/Return       Inbound
          Return Exception     Call/Return       Inbound
          Return Normal        Call/Return       Inbound
          Transaction          Transaction       End
          Commit
          Transaction          Transaction       End
          Rollback
          Transaction Start    Transaction       Begin
          User                 All               Generic

    HRESULT BeginSession(
        [in] REFGUID guidSourcelD,
        [in] LPCOLESTR strSessionName
    );
        HRESULT EndSession(
        );
        HRESULT IsActive(
        );
        typedef [v1_enum] enum VSAParameterType {
            cVSAParameterKeyMask= 0x80000000,
            cVSAParameterKeyString=0x80000000,
            cVSAParameterValueMask=0x0007ffff,
            cVSAParameterValueTypeMask=0x00070000,
            cVSAParameterValueUnicodeString=0x00000,
            cVSAParameterValueANSIString=0x10000,
            cVSAParameterValueGUID=0x20000,
            cVSAParameterValueDWORD=0x30000,
            cVSAParameterValueBYTEArray=0x40000,
            cVSAParameterValueLengthMask=0xffff,
        } VSAParameterFlags;
        typedef [v1_enum] enum VSAStandardParameter {
            cVSAStandardParameterDefaultFirst=0,
            cVSAStandardParameterSourceMachine=0,
            cVSAStandardParameterSourceProcess=1,
            cVSAStandardParameterSourceThread=2,
            cVSAStandardParameterSourceComponent=3,
            cVSAStandardParameterSourceSession=4,
            cVSAStandardParameterTargetMachine=5,
            cVSAStandardParameterTargetProcess=6,
            cVSAStandardParameterTargetThread=7,
            cVSAStandardParameterTargetComponent=8,
            cVSAStandardParameterTargetSession=9,
            cVSAStandardParameterSecurityIdentity=10,
            cVSAStandardParameterCausalityID=11,
            cVSAStandardParameterSourceProcessName=12,
            cVSAStandardParameterTargetProcessName=13,
            cVSAStandardParameterDefaultLast=13,
            cVSAStandardParameterNoDefault=0x4000,
            cVSAStandardParameterSourceHandle=0x4000,
            cVSAStandardParameterTargetHandle=0x4001,
            cVSAStandardParameterArguments=0x4002,
            cVSAStandardParameterReturnValue=0x4003,
            cVSAStandardParameterException=0x4004,
            cVSAStandardParameterCorrelationID=0x4005,
            cVSAStandardParameterDynamicEventData=0x4006,
            cVSAStandardParameterNoDefaultLast=0x4006
        } VSAStandardParameters;
        typedef [v1_enum] enum eVSAEventFlags {
            cVSAEventStandard=0,
            cVSAEventDefaultSource=1,
            cVSAEventDefaultTarget=2,
            cVSAEventForceSend=8
        } VSAEventFlags;
        HRESULT FireEvent(
            [in] REFGUID guidEvent,
            [in] int nEntries,
            [in, size_is(nEntries)] LPDWORD rgKeys,
            [in, size_is(nEntries)] LPDWORD rgValues,
            [in, size_is(nEntries)] LPDWORD rgTypes,
            [in] DWORD dwTimeLow,
            [in] LONG dwTimeHigh,
            [in] VSAEventFlags dwFlags
        );
    }

                  HRESULT BeginSession(
                      [in] BSTR guidSourceID,
                      [in] BSTR strSessionName
                  );
                  HRESULT EndSession(
                  );
                  HRESULT IsActive(
                      [out] VARIANT_BOOL *pbIsActive
                  );
                  HRESULT FireEvent(
                      [in] BSTR guidEvent,
                      [in] VARIANT rgKeys,
                      [in] VARIANT rgValues,
                      [in] long rgCount,
                      [in] VSAEventFlags dwFlags
                  );
              }

                  HRESULT RegisterSource(
                      [in] LPCOLESTR strVisibleName,
                      [in] REFGUID guidSourceID
                  );
                  HRESULT IsSourceRegistered(
                      [in] REFGUID guidSourceID
                  );
                  HRESULT RegisterStockEvent(
                      [in] REFGUID guidSourceID,
                      [in] REFGUID guidEventID
                  );
                  HRESULT RegisterCustomEvent(
                      [in] REFGUID guidSourceID,
                      [in] REFGUID guidEventID,
                      [in] LPCOLESTR strVisibleName,
                      [in] LPCOLESTR strDescription,
                      [in] long nEventType,
                      [in] REFGUID guidCategory,
                      [in] LPCOLESTR strIconFile,
                                        [in] long nIcon
                  );
                  HRESULT RegisterEventCategory(
                      [in] REFGUID guidSourceID,
                      [in] REFGUID guidCategoryID,
                      [in] REFGUID guidParentID,
                      [in] LPCOLESTR strVisibleName,
                      [in] LPCOLESTR strDescription,
                      [in] LPCOLESTR strIconFile,
                      [in] long nIcon
                  );
                  HRESULT UnRegisterSource(
                      [in] REFGUID guidSourceID
                  );
                  HRESULT RegisterDynamicSource(
                      [in] LPCOLESTR strVisibleName,
                      [in] REFGUID guidSourceID,
                      [in] LPCOLESTR strDescription,
                      [in] REFGUID guidClsid,
                      [in] long inproc);
                  HRESULT UnRegisterDynamicSource(
                      [in] REFGUID guidSourceID);
                  HRESULT IsDynamicSourceRegistered(
                      [in] REFGUID guidSourceID);
              };

                HRESULT RegisterSource(
                    [in] BSTR strVisibleName,
                    [in] BSTR guidSourceID
                );
                HRESULT IsSourceRegistered(
                    [in] BSTR guidSourceID,
                    [out] VARIANT_BOOL *pbIsRegistered
                );
                HRESULT RegisterStockEvent(
                    [in] BSTR guidSourceID,
                    [in] BSTR guidEventID
                );
                HRESULT RegisterCustomEvent(
                    [in] BSTR guidSourceID,
                    [in] BSTR guidEventID,
                    [in] BSTR strVisibleName,
                    [in] BSTR strDescription,
                    [in] long nEventType,
                    [in] BSTR guidCategory,
                    [in] BSTR strIconFile,
                    [in] long nIcon
                );
                HRESULT RegisterEventCategory(
                    [in] BSTR guidSourceID,
                    [in] BSTR guidCategoryID,
                    [in] BSTR guidParentID,
                    [in] BSTR strVisibleName,
                    [in] BSTR strDescription,
                    [in] BSTR strIconFile,
                    [in] long nIcon
                );
                HRESULT UnRegisterSource(
                    [in] BSTR guidSourceID
                );
                HRESULT RegisterDynamicSource(
                    [in] BSTR strVisibleName,
                    [in] BSTR guidSourceID,
                    [in] BSTR strDescription,
                    [in] BSTR guidClsid,
                    [in] long inproc);
                HRESULT UnRegisterDynamicSource(
                    [in] BSTR guidSourceID);
                HRESULT IsDynamicSourceRegistered(
                    [in] BSTR guidSourceID,
                    [out] VARIANT_BOOL *boolRegistered);
            };