Clint Huffman's Windows Troubleshooting in the Field Blog

W3C IIS Log Analysis using Log Parser 07 January 10 09:27 PM | clinth@microsoft.com | 0 Comments

I was recently on the PowerScripting Podcast where we talked about the PAL tool and the challenges with developing it in PowerShell v2.0 such as dealing with very large PowerShell scripts. While on the podcast some of listeners asked about analyzing IIS W3C logs.

PAL doesn’t analyze IIS W3C logs, but I have quite a few Microsoft Log Parser queries that I use when I do IIS Health Checks – an offering from Microsoft Premier Field Engineering (PFE). This seems like a good time to publish some of them. Keep in mind that many of these originally came from the Microsoft Log Parser help documentation.

The following Microsoft Log Parser queries are the ones I typically use when analyzing IIS W3C logs. Many of these queries need additional information passed into Log Parser to work properly. See the Microsoft Log Parser documentation for more information on how to use these queries.

[Chart] Top 20 hit URLs:
SELECT TOP 20 cs-uri-stem, COUNT(*) AS Hits INTO IISLOG_ANALYSIS_TOP20_HITS.GIF FROM MERGED_LOG.CSV GROUP BY cs-uri-stem ORDER BY Hits DESC

[Chart] Top 10 ASP/ASPX URLs:
SELECT TOP 10 cs-uri-stem, COUNT(*) AS Hits INTO IISLOG_ANALYSIS_TOP10_ASPX_HITS_Date_10-06-2009_14-37-56PM.GIF FROM MERGED_LOG.CSV where cs-uri-stem like '%%.asp' or cs-uri-stem like '%%.aspx' GROUP BY cs-uri-stem ORDER BY Hits DESC

[Chart] Hit Frequency each hour:
SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), COUNT(*) AS Hit_Frequency INTO IISLOG_ANALYSIS_HIT_FREQ_Date_10-06-2009_14-37-56PM.GIF FROM MERGED_LOG.LOG GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) DESC

[Chart] Bytes Per Extension:
SELECT EXTRACT_EXTENSION(cs-uri-stem) AS Extension, MUL(PROPSUM(sc-bytes),100.0) AS Bytes INTO IISLOG_ANALYSIS_BYTES_PER_EXT_Date_10-06-2009_14-37-56PM.GIF FROM MERGED_LOG.CSV GROUP BY Extension ORDER BY Bytes DESC

[Chart] Top 20 Client IP Addresses:
SELECT top 20 c-ip AS Client_IP,count(c-ip) AS Count from MERGED_LOG.CSV to IISLOG_ANALYSIS_TOP20_CLIENT_IP_Date_10-06-2009_14-37-56PM.GIF GROUP BY c-ip ORDER BY count(c-ip) DESC

[Chart] Total Unique Client IP's each hour (Users each hour). This requires two queries to create this chart:
Select TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) as Times, c-ip as ClientIP into IISLOG_ANALYSIS_DIST_CLIENT_IP.LOG from MERGED_LOG.LOG group by Times, ClientIP
Select Times, count(*) as Count from IISLOG_ANALYSIS_DIST_CLIENT_IP.LOG to IISLOG_ANALYSIS_HOURLY_UNIQUE_CIP_Date_10-06-2009_14-37-56PM.GIF group by Times order by Times DESC

Number of Errors:
SELECT cs-uri-stem, sc-status,sc-win32-status,COUNT(cs-uri-stem) from MERGED_LOG.CSV to IISLOG_ANALYSIS_ERROR_COUNT_Date_10-06-2009_14-37-56PM.CSV where sc-status>=400 GROUP BY cs-uri-stem,sc-status,sc-win32-status ORDER BY COUNT(cs-uri-stem) DESC

Error Frequency Each Hour:
SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), COUNT(*) AS Error_Frequency FROM MERGED_LOG.LOG TO IISLOG_ANALYSIS_ERROR_FREQ_Date_10-06-2009_14-37-56PM.GIF WHERE sc-status >= 500 GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) DESC

Status Code Percentages:
SELECT sc-status, COUNT(*) AS Times from MERGED_LOG.CSV to IISLOG_ANALYSIS_STATUS_CODE_Date_10-06-2009_14-37-56PM.GIF GROUP BY sc-status ORDER BY Times DESC

Top 20 Average Longest Requests:
SELECT top 20 cs-uri-stem,count(cs-uri-stem) As Count,avg(sc-bytes) as sc-bytes,avg(cs-bytes) as cs-bytes,max(time-taken) as Max,min(time-taken) as Min,avg(time-taken) as Avg from MERGED_LOG.CSV to IISLOG_ANALYSIS_TOP20_AVG_LONGEST_Date_10-06-2009_14-37-56PM.CSV GROUP BY cs-uri-stem ORDER BY avg(time-taken) DESC

Average Response Times in Milliseconds Per Hour:
SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)), avg(time-taken) INTO IISLOG_ANALYSIS_AVG_RESP_TIME.GIF FROM MERGED_LOG.LOG WHERE sc-status=200 AND (cs-uri-stem like '%%.asp' or cs-uri-stem like '%%.aspx') GROUP BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) ORDER BY TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) DESC

About the Author – Clint Huffman 03 December 09 11:32 AM | clinth@microsoft.com | 0 Comments

Originally from Dayton, OH. Clint joined Microsoft in 1999 supporting web technologies, Microsoft load testing tools, and later worked as a Testing Consultant helping people with load testing at the Microsoft Services Labs. There he found a passion for solving Windows performance issues. In 2006, he joined Microsoft Premier Field Engineering (PFE) team to take on BizTalk performance issues only to find that most issues could be diagnosed by analyzing operating system resources. Some may say that performance analysis of Windows is more of an art than a science. Well, Clint strives to make it as much of a science as possible and to bring it to the masses. Clint is probably best known for the Performance Analysis of Logs (PAL) tool, which simplifies the analysis of performance monitor logs. He is an author of many of the BizTalk performance guides on MSDN and recently spoke at Tech Ed 2008 on BizTalk performance analysis. He currently lives in Marysville, WA which is about 40 miles north of Seattle.

Vital Signs Workshop: Clint teaches the Vital Signs workshop (originally created by Shane Creamer) which is a 3 day workshop that covers Windows architecture and how to identify performance bottlenecks.

Products: Clint primarily supports Microsoft BizTalk Server, Microsoft Internet Information Services (IIS), and scripting (VBScript or PowerShell).

PAL Tool: Clint wrote the free and open source PAL tool which saves you time by analyzing performance counter logs. You can check out the tool at http://pal.codeplex.com

Clint’s Windows Performance Analysis in the Field Blog: Clint blogs about the Windows performance issues he encounters in the field at http://blogs.technet.com/clinth.

Facebook: http://www.facebook.com/clint.huffman

Twitter: http://twitter.com/clinth

XBOX Live Gamer Tag: ClintHuffman

Email: clinth@microsoft.com

Microsoft Tag: Download Clint’s contact information to your phone. Get the free app for you phone at http://gettag.mobi. Works with Windows Mobile, iPhone, Blackberry, and may other camera phones.

PodCasts: Clint is a regular on the RunAs Radio show which is a free internet radio talk show podcast for IT Professionals talking about Windows performance analysis. Use your Zune Marketplace to subscribe to the podcast for free or go to http://www.runasradio.com.

How to engage PFE: Clint is part of the Microsoft Premier Field Engineering (PFE) team at Microsoft. If you would like to use PFE resources (onsite problem solving, training, risk assessments, etc) and if you have a Microsoft Premier Support Agreement, then contact your Microsoft Technical Account Manager (TAM). If you do not have a Microsoft Premier Support Agreement, then go to http://www.microsoft.com/services/microsoftservices/srv_premier.mspx for more info.

The Case of the Mysterious Black Box 18 November 09 06:54 PM | clinth@microsoft.com | 2 Comments

I haven’t had any performance analysis challenges lately, but there is a lot of confusion as to how to measure SAN performance. To many, a SAN is a proverbial “mysterious black box” that seems to perplex all who try to measure it’s performance with any measure of certainty. This blog entry covers how I measure the performance of SANs and tries to unlock the mysteries of the black box.

SAN hardware and configurations vary greatly between our customers and SAN vendors. Some carve out disk arrays that are stripped across only a few spindles while others stripe the entire disk array across all of the spindles.

Before I go too deep, let’s get some terminology out of the way. This is *my* interpretation of these terms and may differ from the industry.

Disk Terminology

The following terms are used frequently in the disk industry.

Spindle: A physical hard disk. The *real* disk installed in the hardware.

LUN (Line Unit Number): This is the physical disk representation to the Windows operating system – meaning Windows thinks it is a single spindle, but could be many spindles masked by the hardware.

Physical Disk: The same as LUN in regards to Windows.

Logical Disk: A drive letter or mount point mapped to a physical disk.

SAN’s Consolidate and Maximize Your Disk Investment, but…

SAN’s are popular because they consolidate spindles allowing you to maximize your investment. Imagine you have a large file server, a large database, and a few other high end servers all with high end disk arrays dedicated to them. In many cases, one or more of the large, dedicated disk arrays is under utilized and/or one of them is over utilized. The SAN consolidates all of the spindles into a single location and spreads the load across all of them to maximize utilization. While this is a great way to spread the load, it’s a gamble with performance.

SANs Gamble with Disk Performance

Since SAN’s spread the load across all of spindles in many cases, it is taking a gamble that no single spindle will be contested for any length of time. If that event occurs, then it tries to compensate with cache and other technologies. It does a great job of handling this. Unfortunately, the SANs allow the SAN administrator to hand out *many* LUNs from the same disk array. This ends up becoming more of an optimization of disk capacity versus disk performance. In many cases that I have witnessed myself, I have found so much contention that the LUN performance is reduced to the speed of a floppy drive which is about 900ms!

Disk Analysis Basics

When it comes to analyzing the performance of any disk in Windows, our best approach is the simplest one… monitor the disks for response times. Specifically, monitor “\LogicalDisk(*)\Avg Disk sec/Read” and “\LogicalDisk(*)\Avg Disk sec/Write” for values greater than 15ms (0.015) on average. 5400rpm drives are able to respond within 15ms with no cache in front of it. The spindles typically come with a specification showing their seek times. Effectively, if the response times are greater than the seek times, then the spindle is likely falling behind. With that said, there might be a more advanced reason for the high response times. For example, what if the bytes per I/O is 2MBs? That would explain the long response times.

My PAL tool checks and throws warning alerts for response times greater than 15ms and critical alerts for response time greater than 25ms.

Response times measured by “\LogicalDisk(*)\Avg Disk sec/Read” and “\LogicalDisk(*)\Avg Disk sec/Write” is our most authoritative and primary indicator of disk performance. With that said, it can’t tell us the entire story. When you see high disk response times, don’t go running to the SAN administrators(s) with guns a blazing. Work with them on their terms by providing details of your research. This shows that you are trying to help and that you understand their needs.

The Needs of the SAN Administrator

SAN administrators like to have the following details because these are metrics that they can typically do something about. Try to gather this information over a long period of time and have a chart of graph prepared when presenting your findings.

· Disk Read and Write response times which you can get from “\LogicalDisk(*)\Avg Disk sec/Read” and “\LogicalDisk(*)\Avg Disk sec/Write”. For example, Microsoft BizTalk Server database LUNs should get less than 15ms sustained response times for both read and write I/O.

· IOPS (I/O’s per second) which you can get from “\LogicalDisk(*)\Disk Transfers/sec”. This helps with determining how many dedicated spindles are needed to supply the demand for IOPS for the LUN. For example, BizTalk database LUNs should get a least 200 IOPS or more sustained – 500 IOPS or more preferred. Why? Because my 5400rpm USB drive can do 200 IOPS of random write I/O with 5ms response times on average. Why have a SAN if a USB drive can out perform it?

· Bytes per I/O which you can get from “\LogicalDisk(*)\Avg Disk Bytes/Read” and “\LogicalDisk(*)\Avg Disk Bytes/Write”. The size of the I/O’s on average will tell the SAN administrators how to format the blocksize of disk partitions. For example, BizTalk database LUNs typically do about 16K per read or write operation on average with frequent spikes of 64K. This is why we typically recommend formatting the disks to a 64K blocksize. For more information on blocksizes, see “Disk Partition Alignment Best Practices for SQL Server”

· Ratio of Reads to Write which you can get from “\LogicalDisk(*)\Disk Reads/sec” and “\LogicalDisk(*)\Disk Writes/sec”. SAN cache can typically be adjusted for a read/write ratio and this information helps to adjust that setting. For example, BizTalk database LUNs for the MsgBoxDb is about 50% reads and 50% writes while the DTADb is about 99% writes and 1% reads.

· What is using the disks which you can get using Process Monitor (a Mark Russinovich SysInternals tool owned by Microsoft), Microsoft xPerf (part of the Windows Server 2008 Performance Toolkit), or from Resource Monitor which is part of Windows 7. This helps determine if the server is really using the disks or if anti-virus or backup software is really killing them unnecessarily. In any case, it’s important to know if the I/O is mission critical versus routine or unnecessary I/O. See my earlier blog post, “The Case of the Relentless Cookie Monster”, for more information on how to use the Process Monitor tool for disk analysis.

Once you have the information above and present it to the SAN administrators, they should be able to configure the SAN to meet these needs.

Conclusion

SANs are critical assets to disk management, but it seems that many disks presented to mission critical systems just can’t perform when the SAN is over saturated or not optimized for the kind of I/O the server needs. SAN administrators don’t instinctively know what the needs of your system are, so provide them with the information they need using the counter metrics mentioned above. I hope this helps to remove the veil of the mysterious black box.

Thanks again to Shane Creamer who originally taught me the disk analysis basics.

Windows 7 and Disk Analysis

Oh, and by the way, Windows 7 and Windows Server 2008 R2 have an incredible performance tool called the Resource Monitor. Just go to Task Manager and click the Resource Monitor button. Click the Disk tab and you will see the processes most active with disk I/O and their average response times to each file they are using. Imagine a SQL Server showing average response times to specific MDF and LDF files. This was a feature I asked for and Microsoft listened.

The Case of the 2 Million Context Switches 28 October 09 09:26 PM | clinth@microsoft.com | 0 Comments

This week I was in Denver, CO handling a high CPU performance issue with Microsoft BizTalk Server 2006 R2. The customer was seeing very high CPU utilization even when BizTalk doesn’t have any real work do to, so this was a bit of a mystery and a challenge. I like challenges. ;-)

Symptoms: High processor utilization over 90% across all 8 processors.

Relevant Configuration

Microsoft Windows Server 2003 (x64)
Microsoft BizTalk Server 2006 R2 (x64)
2xQuad Core (8 processors) AMD Opteron

First, I verified that the server is in fact using a high amount of CPU by taking performance counter logs of the servers. Sure enough the BizTalk Servers were having high CPU consumption.

The black block is just removing the server names to protect privacy.

By the way, it’s worth mentioning that the above chart was created using the upcoming release of Performance Analysis of Logs (PAL) v2.0 tool. I’ve been working on it nearly every night for the past year. Look for it to be released soon at Microsoft’s open source web site at http://pal.codeplex.com. Got a performance issue, PAL it!

The next step to diagnosing high processor conditions is to determine the ratio of privileged mode to user more CPU. Threads executing on processor can only be in one of these modes and this is the fork in the road that determines our next step in troubleshooting. The counter “\Processor(?)\% Processor Time” is the sum of “\Processor(?)\% Privileged Time” (also known as kernel time) and “\Processor(?)\% User Time” where the question mark (?) indicates the same counter instance such as _Total and 0.

Using PAL v1.0 (PAL v2.0 doesn’t have % Privileged Time analysis functional yet) to generate chart and alerts on the counters, it showed that the % Privileged Time counter is taking up roughly 40% of the total CPU. Under normal conditions, privileged time shouldn’t be higher than 10% of total CPU, so this is a very high amount of time being spent in the kernel.

A high amount of kernel mode time typically indicates a high amount if I/O such as network, disk, memory, threads and/or hardware drivers.

PAL did not alert on any disk or network I/O, but it did light up like a Christmas tree on “\System\Context Switches/sec”!

Again, the black box in the image above is removing the server name to protect privacy.

A normal amount of Context Switches/sec is about 1,000 or less. Today’s processors are able to handle high amounts of context switches per second and the chart above (done with PAL v2.0 I’m proud to say) shows over 2 million context switches/sec. This is a testament to my previous statement. In my entire career, I have never seen Context Switches/sec go above 100,000, so this is the most extreme case I have ever seen. So… as they say in Mythbusters… “Now, there’s your problem!”.

According to Performance Monitor, “Context switches occur when a running thread voluntarily relinquishes the processor, is preempted by a higher priority ready thread, or switches between user-mode and privileged (kernel) mode to use an Executive or subsystem service.”

Since I/O is a common reason for threads to context switch into kernel mode, I decided to get a Process Monitor (a SysInternals tool owned by Microsoft) trace on the server. It revealed that the BTSNTSVC64.exe process is reading from the BTSNTSVC64.exe file extremely often. Here is the view of Process Monitor showing the high disk I/O on BTSNTSVC64.exe.

Processor utilization in the BizTalk processes (BTSNTSVC64.exe) correlates with the high CPU and disk and overall these processes are the processes taking up the most CPU on the server.

Multi-threaded applications like BizTalk Server can use up to 100% times the number of processor on the server, so since this server has 8 processors any one process could potentially take up to 800% CPU. This is why we see “\Process(BTSNTSvc64)\% Processor Time” consuming 207% CPU.

At this point, we have proof that BizTalk Server processes are consuming the most CPU and most of that CPU consumption is in privileged mode (kernel mode) CPU. The processes are hitting the BTSNTSvc.exe file extremely often, and the most likely process doing all of the context switches/sec.

What do we do now? The next logical step is to profile the process to determine what it is doing. There are many profilers out there and different techniques. The first we tried is not a dedicated profiler, but works on native (non-.NET code). We tried Process Explorer (a SysInternals tool owned by Microsoft). It showed the BizTalk processes as consuming high CPU. A nice feature is to go to properties on the process and click the Threads tab.

If you have the Debugging Tools for Windows installed, then you will see the threads and the functions that each of the threads are currently working on. In this case, we see all of the threads on Base ThreadStart indicating that there is seems to be a lot of thread creation or the call stack is not correct.

I mentioned the high CPU symptoms to my BizTalk colleagues Todd Uhl and Brian Gregor. Both of them pointed me to the article below. Thanks again, guys!

FIX: A CPU usage spike occurs on all the BizTalk hosts after you install security bulletin MS07-040 on a server that is running Microsoft BizTalk Server 2006 or Microsoft BizTalk Server 2006 R2
http://support.microsoft.com/?id=943165

After applying this hotfix (943165) on the servers, CPU utilization on the BizTalk servers dramatically came down to about less then 5% compare to nearly 100% CPU consumption. Therefore, this hotfix was the *big fix* and it sounds like it should be applied to ever x64 BizTalk Server 2006 R2 server especially if you are seeing unnaturally high CPU consumption. With that out of the way, we still had one BizTalk server still using up 25% CPU across all 8 processors, so we focused our attention to it next.

We tried running the stand alone Visual Studio Profiler tool to sample the BizTalk process. Unfortunately, we were not able to get it working due to a conflict with a third-party profiler already installed on the server. :-(

Take a look at one my of older blog postings where I profiled IIS and check out my HowTo article on how to use this tool in a production environment.

Finally, the old hammer way which is still useful is to get full process dumps of the high CPU process. You do this by installing the Debugging Tools for Windows (safe to install on production servers) and using the ADPlus tool to create hang dumps. Each dump takes an image of the process and dumps all of it’s memory to disk in a DMP file. This procedure is similar to taking a picture of someone doing work, then assuming that is what they are doing with all of their time. This is why profilers are better because profilers sample the threads periodically similar to having a video camera on the person doing work versus taking pictures here and there.

We took about 5 process dumps of the BizTalk process by opening a command prompt, changing directory to the installation directory of the Debugging Tools for Windows, then running the following command:

CScript ADPlus.vbs –hang –p 6444 –o C:\DebugOutput

This pauses the process and writes all of it’s memory to disk in a DMP file under the directory specified by the “-o” parameter. 6444 is the process ID of the BizTalk process. This typically takes less than 30 seconds to dump the process out and the process is resumed where it left off like nothing happened.

We took about 5 process dumps about 30 seconds a part from each other. The idea is to compare the dumps to get an idea of what the threads are doing when at high CPU. Ideally, we want to see the same call stack many times to establish what the threads are likely doing. For example, if you took a picture of someone jumping, then you wouldn’t want to assume that they are suspended in mid-air all day.

By the way, I’m proud to say that I am good friends with the original author of ADPlus.vbs, Robert Hensing.

The procedure of taking full user dumps to diagnose proved to be very useful because the call stacks on the active threads (threads doing real work) was identical in every dump. We analyzed them by using them up in WinDBG which is part of the Debugging Tools for Windows.

In WinDBG, we set our symbol path to point to Microsoft’s public symbol server using the following path:
SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

Next, we opened up each DMP file and executed the “!runaway” command (without the double quotes) which shows us which threads have consumed the most CPU over the life of the process.

The following output is similar to what we found.
0:000> !runaway
User Mode Time
Thread       Time
57:1418      0 days 16:35:51.812
56:1410      0 days 3:15:13.171
69:14b0      0 days 0:01:32.546
68:14ac      0 days 0:01:21.984
44:f3c       0 days 0:01:12.406
42:3b4       0 days 0:01:06.562
70:14b4      0 days 0:01:02.781
49:135c      0 days 0:00:59.953
10:11f8      0 days 0:00:53.734
   6:f88       0 days 0:00:52.015
   5:1e4       0 days 0:00:51.500

This shows that thread 57 and 56 are the threads that have consumed the most CPU.

To change to the thread we type in “57s”. This is similar to changing into a directory at the command prompt. After that we typed in “kb” which shows us the call stack of the thread. In this case, the call stack we found looked something like this (modified for simplicity and privacy):

Custom.Method1
Custom.Method3
Custom.Method2
Custom.Method1
Custom.Method3
Custom.Method2
Custom.Method1
BTS.Streaming.MarkableForwardOnlyEventingReadStream.ReadInternal
BTS.Streaming.EventingReadStream.Read
BTS.Component.XmlDasmComp.HasData

In this call stack, we see a repeating pattern of Method1 calling Method2, Method2 calling Method3, and Method3 calling Method1. I am certainly not a very good BizTalk developer, but there is a repeating pattern here. At this point, we discussed our findings with the customer’s BizTalk developers and with luck try to optimize it.

Conclusion

The BizTalk hotfix 943165 had the most significant impact on the CPU consumption on the BizTalk Server and was the big fix in this case. With that said, most high CPU problems require digging into call stacks to identify what the threads are doing most of the time. There are quite a few third party profilers out there that make this process relatively painless, but be careful about using them in production environments and stick to sampling based profilers if you can. They provide better results in production environments.

Lesson Learned

If you are running the x64 version of Microsoft BizTalk Server 2006 R2, then you need this hotfix (943165).

I hope this posting is helpful with showing you how to look at call stacks using WinDBG and remember… all performance problems can be solved, but like city traffic, it just takes time and effort.

Filed under: Windows performance analysis, processor, Context Switches/sec

The Case of the Add-on Crashers 03 September 09 09:37 PM | clinth@microsoft.com | 2 Comments

While on "vacation" in Ohio last month, a good friend of mine called me up saying that Internet Explorer is crashing and unusable, so I asked him to bring his computer over for a look.

The Problem/Symptoms

First, I wanted to confirm what he was saying, so I opened up Internet Explorer. Sure enough, it crashed immediately – meaning the process had a fatal, second chance exception and it crashed the process.

Relevant Technical Details

Operating System: Windows XP Home Edition 32-bit
Application(s): Microsoft Internet Explorer 8

Troubleshooting

Internet Explorer has the ability to load third party “add-on'” to it to enhance your experience while browsing with things such as a search engine toolbars like Bing, client-side code execution engines like Java, or specialized button toolbars like Windows Live. Since the core code of Internet Explorer is relatively stable, I suspected Internet Explorer (IE) Add-ons as the cause of the crash.

To prove or disprove IE Add-ons, I navigated through the Programs menu until I came across an icon named Internet Explorer (no add-ons). This time it opened up without crashing proving one of the Add-ons is causing the crash.

To fix this, I edited the Internet Explorer options through the Control Panel and navigated to the Internet Options icon. This brought up the Internet Properties of Internet Explorer.

On this dialog box, I clicked the Manage add-ons button which brought up another menu showing me all of the add-ons that are installed. At this point, it was just a matter of trial and error. I disabled each one at a time and tried to open IE. Once it finally worked without crashing, I knew which one it was. In this case, it was caused by an anti-virus search add-on.

Another way to troubleshoot this would be to get a crash dump of the process. This can be done through tools like Microsoft WinDBG or ADPLus from the Microsoft Debugging Tools for Windows a free download from Microsoft.com or the DebugDiag tool which is also a free download from Microsoft.com. Once a dump file (*.dmp) file was captured from the crashing application, it would just be a matter of walking the stack to see the faulting stack.

In conclusion, if Internet Explorer seems slow, hangs, or crashes, then it’s most likely due to a third party add-on that you installed.

I hope this helps.

The Case of the Enormous Page File 03 September 09 11:57 PM | clinth@microsoft.com | 0 Comments

Introduction

It seems like every time I deliver the Vital Signs workshop (a Windows architecture course focused on performance analysis patterns) lately, we always have a great discussion about proper sizing of the page file. There is a lot of bad information floating around on the internet about how to size the page file on servers with large amounts of RAM, so this seemed like a great topic to talk about in my blog.

First of all, don’t take my word on this subject – go to the source – David Solomon. David Solomon is one of the people closest to the Windows source code and he specializes in operating systems. In addition he and Mark Russinovich are the authors of the Windows Internals book 5th edition which just released last month which many of us consider to be *the* book on Windows architecture. This edition of the book is focused on Windows Server 2008/Vista and Windows 7.

David Solomon has a very good webcast on Troubleshooting Windows Memory. It’s a 90 minute webcast, but it took me 8 hours to go through it because I had to pause every few seconds and think about what he just said. ;-) This was a very enlightening experience for me because it really brought everything together for me. One of the topics he discusses is proper sizing of the page file. I will try to summarize his teaching in this blog entry and supplement it with a real case.

In addition, Mark Russinovich has a great post on Pushing the Limits of Windows: Virtual Memory which goes deep into the relationship of virtual and physical memory.

Memory States

Memory can be in one of three states: Free, Reserved, or Committed. Free memory is memory that is free for reuse by the operating system. Reserved memory is memory that an application intends on using, but is not using it yet – similar to reserving a table at a restaurant. Committed memory is memory that has data in it and is being used similar to sitting at the table you reserved earlier.

Reserved and Committed Memory

Let’s say you reserved a table for 10 at your favorite restaurant for tomorrow night. Do you think that the restaurant will cordon off the table until your get there? Of course not. They will allow their customers who are there right now to use that table until your party actually arrives.

The memory manager in Windows works the same way with reserved memory where it will not actually allocate any real memory until an application actually needs it. When memory is actually being used (Committed memory) the operating system must do something with that memory, therefore it will either put it in RAM or on the page file.

What is in the Page File?

The page file only contains data that cannot be found elsewhere on disk. For example, if I open up Notepad and do nothing else, the memory being used by Notepad will never be paged to the page file because the EXE and DLL’s needed to load Notepad can be retrieved from the disk at anytime. If you typed the sentence, “The quick brown fox jumps over the lazy dog.” into Notepad, then that text is in RAM right now, but could eventually be paged to the page file because it cannot be found anywhere on the disk. This is why you will never see EXE’s or DLL’s in the page file – only data that cannot be found elsewhere on disk could be put in the page file.

The Commit Limit

The Commit Limit of your computer is the total amount of RAM and the size of all of the page files on the system. In the case of my laptop, I have 4GBs of RAM and a 4GB page file giving my system a Commit Limit of 8GBs. This means that my laptop can handle up to 8GBs of committed memory.

The Commit Charge or Committed Bytes is the total amount of memory used/committed by the operating system and all processes running on the computer.

Shown here in my Windows 7 x64 Task Manager. Highlighted in red is my laptop’s Commit Charge (2074MBs) and it’s Commit Limit (8058MBs). Since the amount of RAM on my system is 4GBs, my system can handle the 2GBs of committed memory with no problem even without a page file.

If the amount of Commit Charge (also known as Committed Bytes) is more than the amount of physical RAM on the computer, then some of that memory has to be in the page file and frequent hard page faults to the page file can cause the system to be slow. The page file is really just an extension of physical RAM allowing the system to handle more committed memory if needed, but just *much* slower than RAM.

Running with No Page File

A common question is, “Can I run my server without a page file and will I gain a performance boost?”. Yes, you can run a server without a page file. Windows has supported the ability to not have a page file for a very long time. Since the operating system only pages out memory that is hasn’t been accessed in a long time, the performance impact should be minimal unless the Commit Charge is greater than the amount of RAM on the system. If the Commit Charge is less than the amount of RAM on the system, then the only performance gain that you *might* get is snappier responses from applications or services that have been idle for a long time and even then it might trivial.

Without going into too much detail about working set trimming, the operating system will page out “old” memory used by idle processes - “old” meaning the pages of memory that haven’t been used/accessed the longest. For example, if you opened up a large Word document and you are now on page 100, then page 1 has likely been removed from RAM (paged out). If you have not modified page 1, then page 1 would not go to the page file because the operating system can always just read the document file off of the disk if it needs to. This will cause a hard page fault, but not against the page file. See my blog post on, “The Case of the Phantom Hard Page Faults”. This behavior will happen regardless of the amount of RAM on the server because the operating system is optimizing the server’s RAM for memory pages that are frequently used.

If you run with no page file, then your Commit Limit (RAM + page file size) is now equal to the amount of RAM on your server. In this case, all it means is that your server cannot exceed a Commit Charge greater than the amount of RAM your server has installed. If the Commit Limit is reached on the system, then the system will be out of memory and will likely hang for long periods of time until the committed memory is released. This can sometimes be as easy as killing the process that has the most committed memory measured by the “\Process(*)\Private Bytes” counter in Performance Monitor.

The Problem/Symptoms

Okay, so now that we have the technical stuff out of the way, let’s put this into a real world case.

Last month, one of my customers had a 64-bit (x64) Windows Server 2003 Server with 32GBs of RAM. They went with the standard page file size of 1.5 times the size of RAM for their page file which gave them a 48GB page file which gave them a Commit Limit (RAM + page file size) of 80GBs! In addition, the page file was taking up an enormous amount of disk space.

Troubleshooting

I fired up Task Manager to see how much Committed memory (Commit Charge) is being used by the system and it was only using about 2GBs. In Task Manager on Windows Server 2003, the Commit Charge is shown as PF Usage which is not the proper name for it. PF Usage should read as “Committed Memory”, but at least it reads as just “Memory” now in Windows 7.

Anyway, the customer’s server was only using 2GBs (Commit Charge) out of 80GBs (Commit Limit) at peak. On Windows Server 2003’s Task Manager there is a Committed Memory Peak value which shows you how much committed memory the system used at peak from the time the server was booted up until now. If the peak ever gets close to the Commit Limit, then you need to increase the size of the page file or identify and kill the leaking (memory hog) process. In any case, my customer’s server was barely using the RAM on the server let alone needing to use the page file.

The Solution

Since the Commit Charge Peak was only at 2GBs and since the amount of RAM on the server was at 32GBs, the customer could run the server without a page file and not have any problems. In fact, they could remove some of the RAM modules from the server and save electricity costs. Ultimately, the customer stuck with the 1.5 times RAM setting just in case. This is a waste of disk space, but is a very safe choice.

With all of that said, we (Microsoft) still *generally* recommends a page file that is at least greater than the amount of RAM installed + 1MB (for the header). This is because by default Windows Servers are set to “Complete Memory Dump” which means to dump all of the physical memory and the page file to a memory.dmp file when a kernel dump (blue screen) occurs. Since a page file will be enormous based on this settings requirements, you can certainly choose a smaller kernel dump setting such as “Kernel memory dump” or “Small memory dump (64K)”. The smaller dump sizes still contain valuable data at a more reasonable disk space cost.

According to the “Windows Internals 4th edition” book, “The disadvantage of minidumps is that to analyze them, you must have access to the exact images used on the system that generated the dump at the time you analyze the dump”. This would certainly be difficult for a Microsoft Support Professional to assist you unless they are physical onsite with you. For a full explanation of these settings and their impact on the system, read the “Crash Dump Analysis” chapter in the Windows Internals book.

In a nutshell, use the smaller “Kernel memory dump” or “Small memory dump” settings if your server does not have a history of crashes (blue screens).

Sizing of the Page File

The reason page files have been difficult to size is because to truly size them properly, the server must be put into production and the Commit Charge peak must be closely monitored. Once you have a baseline of what the system’s commit charge peak is, then you simply need to make the Commit Limit larger than it with a bit of room to grow. Ironically, IT professionals need to set the page file to something *before* going into production, so this is a bit of the chicken and the egg problem. Since we have no idea of how much committed memory your server will use, it made sense to use a 1.5 times RAM as a *very general* guideline.

The Checklist

To *properly* size your server’s page file, follow this checklist:

Kernel Memory Dump Setting: First check your kernel dump setting to see if your server is set to “Complete Memory Dump” (default setting on Windows Servers). If so, your page file must be greater than RAM plus 1MB. This kind of memory dump is extremely large and sometimes wasteful, so consider a smaller memory dump size unless your server has a history of kernel crashes (blue screens). Changing this setting will allow you to set the page file size to a size smaller than the amount of RAM installed which can free up some disk space.
Monitor the Commit Charge Peak: Monitor your server’s Commit Charge peak to determine how much committed memory the system is using at peak. This can be monitored from the Performance tab in Task Manager or by monitoring the “\Memory\Committed Bytes” counter in Performance Monitor.
Adjust the Commit Limit: After monitoring the Commit Charge peak, set the system’s Commit Limit to be larger than the highest monitored Commit Charge peak plus a little extra for room to grow just in case. I recommend it to be at least 10% greater than the maximum observed Commit Charge peak. Remember, the Commit Limit is the total of RAM + the total size of all of the page files on the system, therefore you can adjust it by adding/removing RAM or changing the sizes of the page file(s). The Commit Limit on the server can be monitored either from the Performance tab in Task Manager or by monitoring the “\Memory\Commit Limit” counter in Performance monitor.

Tools Used in this Case

Task Manager: This tool is native to the Windows operating system and can be opened with the key combination of Ctrl+Shift+Esc.

Performance Monitor: This tool is native to the Windows operating system and can be opened by clicking, Start, Run, type “perfmon”, then Enter or click OK.

Process Explorer: While I didn’t use Process Explorer in this case, it is a great tool for monitoring server memory. Process Explorer is a free download from Microsoft Technet Windows SysInternals at http://technet.microsoft.com/en-us/sysinternals/default.aspx or you can run it direct from http://live.sysinterals.com/procexp.exe