Introduction to the new Sysinternals tool: RAMMap

Introduction to the new Sysinternals tool: RAMMap

  • Comments 14
  • Likes

Hello everyone, I’d like to introduce myself. My name is Ray Ackley and I’m a Support Escalation Engineer in the Performance specialty. I’d like to talk a bit about a new tool that allows us to examine a vital performance resource: physical memory.

This tool is called RamMap and it is available from SysInternals at http://technet.microsoft.com/en-us/sysinternals/ff700229.aspx. It allows us to examine detailed memory usage information in a way that is easy accessible.

Each tab has its own wealth of data, but I’ll be focusing on Use Counts and File Summary tab as they offer the information I think most people will be interested in.

Use Counts

image

Memory management is a complex beast, so let’s run through a quick refresher of these categories.

Across the top we have:

Active: Pages of physical ram in active use by the specified category (usually a process working set or the system working set).

Standby: Pages of physical ram not actively being used. These are still left in physical ram but will be repurposed first by the memory manager (either returned to the active list or zeroed out and reused) if something needs physical ram for active pages. Standby pages are essentially cache – it’s better to have infrequently used data kept in RAM “just in case” than pushing it out to disk when the memory isn’t needed for anything else.

Modified: Similar to Standby, but these are pages of physical RAM that have been changed and must be flushed to disk before reusing them.

Modified no write: Similar to modified pages but have been marked not to write out to disk.

Transition: Pages that are in transition between any of the other categories.

Zeroed: Pages that have been zeroed out and are ready to be used – they can be quickly allocated for new physical memory allocations. You will usually only see a significant amount of Zeroed pages after a system is booted. After the system has “settled in” you will likely see these pages being put to good use somewhere on the Standby list as cache.

Free: Free pages are free to be used but have some type of “dirty” data in them so they must be zeroed for security reasons before given to a user process.  These are usually pages that have been freed by an exiting process.  Contrary to the general notation of free memory being good, when you are looking at the Free list here, keep in mind that these pages will be put on the Zeroed list so they are one step closer to being used.  This zeroing is periodically done at a low priority by the memory manager’s zero thread, or it can be done on demand when larger numbers of pages are needed and the zero list becomes exhausted. 

Bad: These are physical pages that have been marked as bad.

Down the left side we have:

Process Private: Memory allocated for use only by a single process.

Mapped File: Also known as section objects, mapped “views” of files are when the contents of that file are mapped to virtual addresses in memory. This can be a process mapping views of files into its memory (for reading or writing) or for the system file cache. For more details on mapped files, see the references at the end of this post.

Shared Memory: Pages that have been marked as shared can be used by multiple processes.

Page Table: Page tables contain PTEs (Page Table Entries), which describe virtual address usage.

Paged Pool: Kernel pooled memory that can be paged to disk.

Nonpaged Pool: Kernel pooled memory that cannot be paged to disk.

System PTEs: Page Table entries allow the mapping of virtual memory addresses to physical memory addresses. System Page Table Entries are a pool of PTEs used to dynamically map system pages such as I/O space, kernel stacks and the mapping of memory descriptor lists. System PTEs can theoretically describe up to 2GB on x86 system and 128GB on x64 systems. Note that each process also has its own set of PTEs for its own individual virtual address range (0-2GB on x86 systems, 0-8TB on x64 systems). This topic is explained in detail in Chapter 9 of Windows Internals 5th Edition.

Session Private: Memory that is private to a particular logged in session. This will be higher on RDS Session Host servers.

Metafile: Metafile is part of the system cache and consists of NTFS metadata. NTFS metadata includes the MFT as well as the other various NTFS metadata files (see How NTFS Works for more details, and of course Windows Internals is a great reference). In the MFT each file attribute record takes 1k and each file has at least one attribute record. Add to this the other NTFS metadata files and you can see why the Metafile category can grow quite large on servers with lots of files.

AWE: Address Windowing Extensions allows an application to map different views of physical memory into its address space. You will typically see this used by SQL or other database applications.

Driver Locked: These are pages that have been locked in physical RAM by a driver. This can be done for small/temporary purposes like I/O or for larger/longer allocations like RAM drives or other large locked memory reservations. For more details see http://www.microsoft.com/whdc/driver/tips/mmprobe.mspx.

Kernel Stack: The amount of space used by kernel thread stacks. The more threads on the system, the larger this value will be.

File Summary

The next page of interest is the File Summary tab.  The File Summary tab will show you very detailed information about which files are loaded in RAM on your system, including a breakdown of how that memory is being used (Active, Standby, Modified and Modified No-Write).  This tab makes it very easy to track down which files are using your RAM.

For example, on this system we have about 7.8GB of RAM being used by Mapped File:

image

Although 7.2 GB of this is Standby and therefore just cached, it still represents a large amount of RAM being used. So what are we using/caching?

image

Mystery solved. The outlook offline storage file is taking up the most RAM, followed by my local search index and several thousand smaller files. However, it is important to remember that in this case the memory is almost all on the Standby list, so the OS is simply using the “extra” RAM to cache data for faster access.

For more details please reference the following:

Windows Internals, Fifth Edition
http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301
The Memory Shell Game
http://blogs.msdn.com/b/ntdebugging/archive/2007/10/10/the-memory-shell-game.aspx
How NTFS Works
http://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
File Mapping
http://msdn.microsoft.com/en-us/library/aa366556%28VS.85%29.aspx
Managing Memory-Mapped Files
http://msdn.microsoft.com/en-us/library/ms810613.aspx
 

Ray Ackley

Share this post :

 




Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Is there any command line switch options for the tool?

    Thanks

  • Yes, a commanline version would be incredibly useful for unattended diagnostics.

  • Any informations about command line since your comments?

  • Is a Windows XP version possible or does this depend upon a Vista+ API?

  • @Josh

    from what we know it depends on Vista+ APIs.

  • It seems like the chances are slim, but a commandline version of this tool would really help in a situation we're experiencing at a client site.  Please?

  • Seriously a command line switch to that works the same as Empty Standby List menu option would be very useful.  Especially given some of us are still having problems in this area:

    blogs.technet.com/.../windows-7-and-windows-server-2008-r2-do-you-still-need-the-microsoft-windows-dynamic-cache-service.aspx

  • @Paul:

    look here:

    forum.sysinternals.com/rammap-empty-standby-list_topic27297_post135003.html

  • ## Metafile size

    These questions are about the Metafile size

    * does Windows 6.1 have Metafile size options?

    * is it reduced when "Process Private" attempt to allocate memory when there's no free memory?

    because

    * it's large, in the Active column it's [12 543 128 K](www.dropbox.com/.../memory) of the total 28 215 156 K

    ## System

    ver

    Microsoft Windows [Version 6.1.7601]

  • @John

    follow the link of Paul: blogs.technet.com/.../windows-7-and-windows-server-2008-r2-do-you-still-need-the-microsoft-windows-dynamic-cache-service.aspx

    and request the Server 2008 R2 version of the service.

  • For some reason RamMap keeps crashing on a machine I'm trying to run it on (Windows Server 2008 R2, 64-bit)

    Problem signature:

     Problem Event Name: APPCRASH

     Application Name: RAMMap64.exe

     Application Version: 1.22.0.0

     Application Timestamp: 50be7232

     Fault Module Name: RAMMap64.exe

     Fault Module Version: 1.22.0.0

     Fault Module Timestamp: 50be7232

     Exception Code: c0000005

     Exception Offset: 000000000001c250

     OS Version: 6.1.7601.2.1.0.274.10

     Locale ID: 1033

  • @Nat:  c0000005 = Access is denied.  Try capturing a Procmon log while launching Rammap, then check for Result = Access Denied.

  • thanks, I'll try that next time.

    I am able to run this on other machines, but when I do the "File Summary" tab only shows a few entries:  comctl32.dll, rammpa64.exe, and staticcache.date (fonts dir)

    This is a server running Windows Server 2008 R2 (it is a virtual machine however running in Hyper-V)

    Any ideas?

  • I have windows server 2008 R2 edition, ran the RAMMAP and found Keneral Stack is using more memory, My question is how to reduce this memory utilization please help to solve this issue