Just a quickie – the rule is blog what you know, but I figure my speculation might be good enough here.
A friend gave me an HDMP file and asked what I could make of it. After the usual “I could make a hat! Or a brooch! Or a dinosaur!” type stuff, I realized it wouldn’t open anyway.
In my experience, most .HDMPs come with matching .MDMP files. I think of these as Minidumps (in the “real” mini sense – just information about threads and thread stacks), and Heap dumps (everything else the process knew or cared about in User mode).
This HDMP wasn’t openable in the debugger directly, but if its corresponding MDMP was present in the same folder at the same time, I reckon it woulda.
The feared WER-wolf produces these files in pairs (that’s Windows Error Reporting, kids, don’t be too scared, except that it invalidates everything we used to know about AEDebug registry keys and similar, but that’s another story for another time), and that’s how I’ve analyzed them in the past. I remember hearing of some sort of merge operation that needed to happen between M and H dumps, but I’m reasonably certain I haven’t bothered with that (I assume I’m lazy by default), so I think the debugger just does it for ya.
Now I’ve written that, I’m going to go look for references to support my assertions!
949180 How to create a user-mode process dump file in Windows Server 2008
http://support.microsoft.com/default.aspx?scid=kb;EN-US;949180
(At the bottom – mini and heap dumps - yay me!). Think that’s enough for today. Hugs!
I was just catching up on some of my RSS feeds, and noticed that one of the pages I was at didn't have a broken page icon, but wasn't working quite right (some broken javascript in the photos area, I'm guessing... I'll investigate that next).
I wondered what that meant, so fired up Fiddler2 to have a look.
The Headers collection didn't include the compatibility header (X-UA-Compatible: IE=EmulateIE7 or similar):
HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 77144
Via: 1.1 MYPROXY
Date: Wed, 10 Sep 2008 07:42:24 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Cache-Control: private
But the META tag was present (link):
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en"
"http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><meta http-equiv="X-UA-Compatible" content="IE=7" /><title>
Spied: New Mazda3
So: the page is being told to render in IE7 Standards Mode (forced, as opposed to IE=EmulateIE7, which would behave as IE7 did). This makes the toggle compatibility mode button moot, because the site has chosen their mode explicitly.
Wonder if that's the problem... Time to investigate with the developer toolbar, I think...
(Update: nup, document mode didn't fix it - Script Debugging needed to be un-disabled in IE, and then the debugger showed me it was happening in motiongallery.js. I've lost interest now :) )
After what seems like a drought of epic proportions, the holiday releases are gradually going to thump their way out. Yay!
What I'm looking forward to:
Fallout 3 - once again, the Australian OFLC needs an R rating for interactive entertainment. I watched the ABC's "Q&A" when the subject was brought up, and ended up furious that people could be so heavily, forcefully opinionated and ignorant at the same time. Makes me wonder whether it's worth watching on *any* subject, if everyone's just going to make stuff up, and then argue that (what they made up) is bad.
Saints Row 2 - I don't know about you, but while GTA IV was "good", I *seriously* fought the urge to skip the cutscenes. Every previous GTA game was entertaining in the cutscenes, and I actually looked forward to them. GTA IV - not at all. I'm hoping Saints Row is more of the over-the-top fun of Vice City or San Andreas; I really liked the original, despite its flaws (Invisible Car!).
Far Cry 2 - I read a developer interview on GamaSutra with the developer (Ubisoft Montreal, Crytek are doing Crysis these days) about how they were really shooting for "open world, open story" and might have a completely massive failure: I really hope they pull it off. I'll be playing it to find out.
Stalker: Clear Skies - I didn't actually finish Stalker, so I might go spend the next few weeks doing that. Loved it, early bugs and all.
Geometry Wars 2 - cheating, because I'm actually playing this already and it's great!
Battlefield: Bad Company - I thought that the earlier Battlefield version for the 360 was superior to the PC Battlefield 2 in many ways. (Controversially, I had the same impression of Xbox Operation Flashpoint vs PC Flashpoint - sometimes a game just *works* on a console). I just saw this is already out, so I'm there!
Too Human - Wasn't really interested, and I played the demo with some reluctance, but it was surprisingly engaging (I didn't think it'd grab me at all, but it did). The reviews haven't been stellar, but I enjoyed the 1GB's worth.
Force Unleashed - Possibly not for the reason you think- I want so see if there's an easter egg where I can get shot by Baltar (geddit!?)
Hi Everybody! I've been laying low for a while, in read-only mode, sorting, filtering, evaluating and generally catching up on stuff!
So, why break radio silence now? Well, I'm popping up to offer a quick endorsement for the Mesh platform, which was recently opened up to Australian testers.
I'm excited. I love it, and it's not even finished.
Right now, you could liken it to Foldershare plus Skydrive plus Remote Desktop, just with the out-of-the-box stuff in the preview.
But there's more to come, and the glimpse you get is absolutely compelling.
I love that I'm a mouse-over and click away from Remote Desktop to any of my machines.
I love that I can synchronize folders between any number of my devices, and have a copy kept online in my Live Desktop.
I love that it's a platform, and having seen some demos of what's possible from a programming perspective, I can't wait to get my SDK on!
At present, there are some To Be Implemented features, the odd glitch and so on (as you'd expect from a CTP), so feel free to ignore me for a while, I'll just say "told you so" later! :)
One tip I'll pass on: Quite a few people requested a versioning feature for files and folders in the Mesh forums (and note that right now, folders you share with other people are writable by them) - Windows Vista has this built in already, in the form of the Previous Versions feature that you can use to recover a document in a given folder - just get the Properties, and then check the Previous Versions tab for the folder (or document).
Go get a Mesh!
While searching for memory leaking troubleshooting techniques that could be applied to 64-bit Windows (for the DHCP Server memory leak I found I had the other day), I stumbled across the answer to my problem in an internal tool (weird that I missed it from a web search the first time, but c'est la vie).
A Windows Server 2008-based DHCP server that is configured in a workgroup environment may consume too much memory
http://support.microsoft.com/default.aspx/kb/949530
And that's my problem! One REG command (and one restart of the DHCPServer service) later, I'm waiting to see how it went, but it all looks promising, based on that article. Neat-o.
A word of caution to those of you that like endings: this isn't over yet.
I'm running a rather sad and noisy X64 desktop as a server at home. Once a proud warrior, actually, no, wait, it was never any good. It's just a Virtual Server host (it's not quite Hyper-V capable; next one will be). SBS 2003, an IIS and an ISA Server all exist(ed) happily in there at one point. (Did I mention I virtualized my work desktop machine the other day? So liberating!)
I blatted Windows Server 2008 onto it at RTM, and it's been happily puttering along doing the RRAS internet access and Virtual Server thing for me ever since.
Until Recently
But I've had to reset it from unresponsive-no-mouse-no-capslock situations on about four occasions over the last two weeks, and as the problem wasn't getting any better, so I figured I'd take a look at what I could do to try to diagnose it.
My guess was that I had a kernel-mode memory leak (a user mode memory leak shouldn't ever trash the box to that extent), but it didn't seem to correspond with any driver upgrades or software installations... something else had changed, sometime.
Perfmon (the new, shiny version) or more specifically the Reliability Monitor confirmed my suspicions:
(happy, everything-used-to-be-so-nice side on the left, then the gradual decline due to Disruptive Shutdowns towards the right). Note the quite-regular interval of red things on the bottom row. (Does it happen more when I'm at home, he wondered?)
Preparation:
As I had a theory in mind, I thought I'd create a Perfmon BLG (log file with lots of counters in it; lots of people seem to like CSV, but BLG is faster, and I'm never going to be opening it in Excel anyway).
How to do that? Things have changed: now, I create a "Data Collector Set", it seems. Oh yeah, reading manuals and/or following basic instruction: not my thing.
I created a new one based on the System Performance collector set, which matches my needs nicely because it contains all the Process counters and Memory counters. Between that lot, I should easily be able to spot a memory leak.
Started the collector set, and made a mental note to check in tonight.
Tonight:
After a little fiddling, I worked out that the animated "Data Collection In Progress" screen wasn't generating a report, and that I'd have to stop the data collector set to view it. Right on!
So, one stopped data collector set later, the Reports view is what I'm interested in.
Remember your training - you're interested in patterns that have slopes or steps. One counter leapt out at me, which I moused over and found was....
Process (_Total) Pool Nonpaged Bytes
So, yep, there's a memory leak, and it's in one or more of the objects tracked by Process counters. So let's add the Pool NonPaged Bytes counters for <All Instances> (so I can see all the processes).
So Add all them, and there's a counter that matches the slope, but at a different scale. Click it in the display to select it, and it's SVCHOST#10. Hide all the other counters I've just added (multi select, right click, hide all), and then right-click it and choose Scale Selected Counter.
Whop! Matches the curve almost exactly.
So, now I know it's a service host, but I don't know which one (they all look alike to me). I assume it's probably still running, too. How do I find that out now?
Easy: Add the "ID Process" counter for svchost#10 (#9 pictured, artistic license)
And then click the counter in the list to see the value it has (the plotted line is flat across the graph, meaning it didn't change at any point). I get PID 1348.
TASKLIST /SVC tells me everything I need to know (well, not everything obviously, but enough to take corrective action).
Yep - it's the DHCP Server instance of SVCHost that's apparently leaking NPP, a kernel resource.
Why!? And why now!?
The graph tells me the times at which this happened, but the Event Logs are very, very quiet around then. So I'll need to use tracing or logging or some other technique to actually track down the cause of the problem.
I right-clicked the SVCHOST instance with PID 1348 and chose Create Dump File (awesome feature, mentioned that before), for archival/root cause purposes - it may well not be possible to see the cause of the leak after the fact from a hangdump, but it's worth grabbing just in case - and then restarted the DHCP Server Service.
Taskman memory use dropped by about 100MB straight away. This is not a busy network, and NPP isn't typically used as cache by user mode programs (he giggled (in a manly way)). Something weird is going on there.
I restarted my performance logging, and I'll check in again tomorrow to see if there's any further indication of a memory leak (I haven't done anything to fix it, so I assume there will be). Now, time to look for logging and diagnostic options...
A word on Perfmon in Windows Vista and 2008: USE IT!
If you're doing any level of performance analysis of Perfmon logs, you need to try out the new, improved Perfmon in Vista. It runs rings around the old one. It's fantastic (at least by comparison). It's worth the cost of the upgrade alone. Seriously, if you do any sort of work with perfmon logs, try doing it on a Vista box and see whether your life is 1000% easier! I'm not saying it's perfect, but by comparison with the last version in XP/2003...
Analuze: verb
1. A pointless analysis, as in "I'll analuze those logs if you really want me to, but the problem's not visible at that level"
2. A very difficult analysis: "You really, really want me to analuze that?"
3. A typo when trying to type "analyze", that often works anyway.
Which means I was going to go buy GTA IV today!
GTA: Vice City and GTA: San Andreas absolutely blew me away with the quality of the narrative and distinctive and unique open worlds. Best of all, guilty pleasures all in a consequence-free environment! I mean, I could jump buildings on a motorcycle! I can't do that in real life!
GTA IV, though, apparently got edited to appease the crazy "games are not for adults" censorship laws we have here in Oz.
I trust Rockstar to have produced the best story, characters and content possible, and while I'm sure it'll be great anyway, I'll have no idea what I'm missing out on.
And unfortunately if I buy a console version, I'm almost certainly not going to be able to mod it back to its original state later.
At least noises are being made about rescinding this sad, inexplicable state of affairs.
Might pick up a copy from Europe...
I've been doing this support thing for a while now.
Frequently, the basics are what get overlooked when troubleshooting an issue, particularly an issue that seems complex on the surface.
Often, though, you'll find that the detailed techniques lead you back to a fairly basic set of rules, the most basic of which is:
Everything's either a file issue, or a settings issue, or just how the software works (by bug or by design).
If something seems unlikely to be a file (corrupted or incorrect file) or settings issue, it could easily be a bug (that is, given the same conditions, you'll be able to reach the same outcome). But if you think you might have hit a bug, what's the most efficient way of addressing it?
Obviously, to find someone else has addressed it already!
So, the Temporal rule of Troubleshooting: try it with the most recent version available.
(this doesn't necessarily mean "try Word 2007 if 2003 doesn't work", I mean "within the same major version").
Today, for example, I was looking at a memory dump (which you usually tend to do at the pointy end of a troubleshooting process, and I'm not going to show working or why these two are relevant), and found these *cough* classics:
0:000> lmvmurlmon
Loaded symbol image file: urlmon.dll
Image path: C:\WINNT\system32\urlmon.dll
Image name: urlmon.dll
Timestamp: Wed Aug 04 17:56:37 2004 (411096B5)
File version: 6.0.2900.2180
Product version: 6.0.2900.2180
...
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: UrlMon.dll
OriginalFilename: UrlMon.dll
ProductVersion: 6.00.2900.2180
FileVersion: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: OLE32 Extensions for Win32
LegalCopyright: © Microsoft Corporation. All rights reserved.
0:000> lmvmmsxml3
start end module name
Loaded symbol image file: msxml3.dll
Image path: C:\WINNT\system32\msxml3.dll
Image name: msxml3.dll
Timestamp: Wed Aug 04 17:59:24 2004 (4110975C)
CheckSum: 00138815
ImageSize: 00130000
File version: 8.50.2162.0
Product version: 8.50.2162.0
...
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) MSXML 3.0 SP 5
InternalName: MSXML3.dll
OriginalFilename: MSXML3.dll
ProductVersion: 8.50.2162.0
FileVersion: 8.50.2162.0
FileDescription: MSXML 3.0 SP 5
LegalCopyright: Copyright (C) Microsoft Corporation. 1981-2003
What does that tell me? Well, lots! Like: this particular machine isn't up to date on IE and XML security patches. Internet Explorer security patches are cumulative, so installing one tends to refresh the majority of the browser software (side bonus: this can also resolve file-level issues, like a corrupted or incorrect DLL).
From that, you can infer that it's probably not up to date on a bunch of stuff. We make it pretty easy to apply security updates these days, and if the security patches aren't up to date, chances are there are non-security patches missing too, and so on.
So: My standard response to any binary implicated in a reproducible problem is to look for and then apply the latest version available (from memory, urlmon was updated this month, and msxml3 sometime since mid-2007).
Once we've applied the latest updates, we'll know whether we actually have more work to do, or whether we're just covering old ground.
So, short version: Try the latest version first.
See the big potential time saving there?
I love my Touch Dual, but I'm one of those people that constantly forgets to shut it up when I'm at my desk. (This is a plea for help, rather than an apology to my coworkers, who deserve everything they get.)
But anyway: my utopian vision is that of having a USB Bluetooth dongle in my work monitor, that I can allow to set my phone to vibration- or silent-only mode.
When I wander away, it'd switch back to "normal".
I couldn't find such a thing from a web search (a mention of a Norwegian company back in 2001 that built something to turn them off in airports).
I imagine it'd have to be key-based to prevent abuse, but it sounds do-able... am I just not finding it because it's a bad idea?
Yes Atwood, it was you that drove me to this.
"This power savings is achieved by dropping the CPU multiplier..."
Gish! So I did a little digging to see whether I was alone in having the (vast unkempt) tufts of hair on my (manly) back try to punch their way through my shirt:
http://www.thefreedictionary.com/saving
b. savings (used with a sing. verb) Usage Problem An amount of money saved: a rebate that yielded a savings of $50.
...In the United States the plural form a savings is widely used with a singular verb (as in A savings of $50 is most welcome); nonetheless, 57 percent of the Usage Panel find it unacceptable
Not alone! This sounds like pure marketingspeak that happened to catch on. Using the plural makes it sound(s!) like you're getting(s!) two (or more!) of something(s!).
Sure, usage is possession and all that, but really, it's distasteful(s)!
So, we all know that ISA 2006 doesn't work on Windows Server 2008. Massive architectural changes to the IP stack, blah blah, etc, etc.
People (uh, yeah, just "people") have been asking about what's to become of ISA Server for a while:
"There's no ISA 2008 announced!" they'd scream.
"This surely means the end of one of the best product lines Microsoft has produced!" might have also been heard (in a somewhat muffled way).
"Won't Tristan be out of a job?" one person wailed, unconvincingly.
Well, that's right - the plan at this point is that there is no ISA Server 2008.
(pause for effect, teeth-gnashing, gasping, horror to subside)
As of the next version, Internet Security and Acceleration Server is ForeFront Threat Management Gateway!
(Now you're going to tell me that ISA was a perfectly good name and not at all unwieldy...)
See our well-formed Press Release for details!
Microsoft also today announced the name of its next-generation network edge security product, Forefront Threat Management Gateway. Forefront Threat Management Gateway is the future version of Microsoft ISA Server and will extend the capabilities of ISA Server 2006 with new features and security technologies, designed to help provide multiple-threat protection, simplified management and secure connectivity, and will be built on Windows Server 2008. More details about Forefront Threat Management Gateway will be available later this year.
Excellent! So, key takeaway: we are working on a successor. The product isn't going away!
There's an early beta available from here, though it's downloading at a slow trickle for me right now (got excitement?).
So, go forth and, you know, Manage Threats! In the future!
(This post brought to you by the number 3, and the letters WHY AM I NOT SLEEPING?)
It's been a while - and suddenly: Pow! (and did I mention ooh?) A new Foldershare website! Has the feel of SkyDrive to it. And a big, prominent beta logo. Wonder if that hints that Foldershare might become the desktop client for Skydrive, at least in part? (previously, as I understand it, it was always client-to-client, no actual storage "in the cloud", so you couldn't get stuff unless at least one replica was switched on and logged in, but it's possibly a short hop from there to SkyDrive being seen as an always-on repository...) (Juuust idle speculation. I've heard, seen, and know nothing. (Just ask anyone that works with me.))
Ooh again! A new FolderShare Satellite too (with Activity right on the main popup menu, yay! That initial sync is as addictive as watching an old-skool DOS defrag).
That's about it. I see a few problem reports from the new beta in the comments on the Foldershare Blog , so if all is currently right with your file synchronization world, you might want to keep the old client install handy before upgrading.
I've mentioned Chimney before. Now, a new Windows Update fix for TCP Offload, which turns it off.
It was on by default in Windows Server 2003 SP2, so if your NIC supported Offload, or RSS, or that other thing I can never remember, it was enabled.
But: we (PSS we) typically turn it off as a first troubleshooting step for any network-related issue -
a) because we know from experience that several drivers seem to do interesting things with it installed (that's a nice way of saying update your drivers),
b) because several of our drivers do interesting things with it (if you're going to choose to use it, check for recent-model tcpip.sys hotfixes), and
c) because we want to be able to see TCP traffic in a network capture for troubleshooting purposes.
Off-unless-opted-in brings parity with Windows Server 2008.
New modules, supported by Microsoft, are now officially RTMd (RTWd?) and available for use with IIS 7.0.
WebDAV
Yay new WebDAV! Yay being able to enable it on specific parts of a site! Yay better!
Robert: http://blogs.msdn.com/robert_mcmurray/archive/2008/03/12/webdav-extension-for-windows-server-2008-rtm-is-released.aspx
Downloads:
• Microsoft WebDAV Extension for IIS 7.0 (x86) http://www.iis.net/go/1621/
• Microsoft WebDAV Extension for IIS 7.0 (x64)http://www.iis.net/go/1618/
Media Bitrate Throttling
Yay something about bandwidth for media files!
Vishal: http://blogs.iis.net/vsood/archive/2008/03/15/bit-rate-throttling-is-now-released.aspx
Downloadies:
· 32 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640
· 64 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641
Intro:
The Internet Information Services 7.0 (IIS 7.0) Media Pack – Bit Rate Throttling module provides the ability to throttle progressive downloads of media files (in which audio/video playback starts as soon as sufficient data has been buffered on the client) based on the content bit rate. For sites that deliver audio and video files that may not be watched in their entirety, this module could significantly reduce your media-related bandwidth costs. A secondary feature of the Bit Rate Throttling Module is that it can also be used to throttle non-media ("Data") file types at specified bit rates.
Don't Forget The New FTP Server While You're At It
I already mentioned this, but I'll list it here as a one-stop convenience (aww, aren't I nice?)
Replaces FTP6 (that shipped in the box) with FTP7: FTP with SSL, virtual hostname support, extensibility, right-click-and-add-FTP-to-a-website publishing integration... loads of cool stuff.
Microsoft FTP Publishing Service for IIS 7.0 (x86)
Microsoft FTP Publishing Service for IIS 7.0 (x64)
