Unit OS6: Device Management Unit OS6: Device Management

(1)

Unit OS6: Device Management Unit OS6: Device Management

6.3. 6.3. Windows I/O Processing Windows I/O Processing

(2)

Copyright Notice Copyright Notice

These materials are part of the

These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,

System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.

developed by David A. Solomon and Mark E.

Russinovich with Andreas Polze Russinovich with Andreas Polze

Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)

environments (and not for commercial use)

(3)

Roadmap for Section 6.3 Roadmap for Section 6.3

Driver and Device Objects Driver and Device Objects

I/O Request Packets (IRP) Processing I/O Request Packets (IRP) Processing

Driver Layering and Filtering Driver Layering and Filtering

Plug-and-Play (PnP) and Power Manager Plug-and-Play (PnP) and Power Manager

Operation Operation

Monitoring I/O Activity with Filemon

(4)

Driver Object Driver Object

A driver object represents a loaded driver A driver object represents a loaded driver

Names are visible in the Object Manager Names are visible in the Object Manager

namespace under \Drivers namespace under \Drivers

A driver fills in its driver object with pointers to its I/O A driver fills in its driver object with pointers to its I/O

functions e.g. open, read, write functions e.g. open, read, write

When you get the “One or More Drivers Failed to When you get the “One or More Drivers Failed to

Start” message its because the Service Control Start” message its because the Service Control

Manager didn’t find one or more driver objects in the Manager didn’t find one or more driver objects in the

\Drivers directory for drivers that

\Drivers directory for drivers that should should have have started

started

(5)

Device Objects Device Objects

A device object represents an instance of a A device object represents an instance of a

device device

Device objects are linked in a list off the driver Device objects are linked in a list off the driver

object object

A driver creates device objects to represent the A driver creates device objects to represent the

interface to the logical device, so each generally has interface to the logical device, so each generally has

a unique name visible under \Devices a unique name visible under \Devices

Device objects point back at the Driver object

(6)

Driver and Device Objects Driver and Device Objects

\TCPIP

Driver Object \Device\TCP \Device\UDP \Device\IP

Dispatch Table Open

Write Read

Loaded Driver Image Open(…)

Read(…) Write(…)

TCP/IP Drivers Driver and Device Objects

(7)

File Objects File Objects

Represents open instance of a device (files on a volume are virtual Represents open instance of a device (files on a volume are virtual

devices) devices)

Applications and drivers “open” devices by name Applications and drivers “open” devices by name The name is parsed by the Object Manager

The name is parsed by the Object Manager

When an open succeeds the object manager creates a file object to When an open succeeds the object manager creates a file object to represent the open instance of the device and a file handle in the represent the open instance of the device and a file handle in the process handle table

process handle table

A file object links to the device object of the “device” which is opened A file object links to the device object of the “device” which is opened

File objects store additional information File objects store additional information

File offset for sequential access File offset for sequential access

File open characteristics (e.g. delete-on-close) File open characteristics (e.g. delete-on-close) File name

File name

Accesses granted for convenience Accesses granted for convenience

(8)

I/O Request Packets I/O Request Packets

System services and drivers allocate I/O request packets to describe I/O System services and drivers allocate I/O request packets to describe I/O A request packet contains:

A request packet contains:

File object at which I/O is directed File object at which I/O is directed

I/O characteristics (e.g. synchronous, non-buffered) I/O characteristics (e.g. synchronous, non-buffered) Byte offset

Byte offset Length Length

Buffer location Buffer location

The I/O Manager locates the driver to which to hand the IRP by following The I/O Manager locates the driver to which to hand the IRP by following the links:

the links:

File Object Device Object Driver Object

(9)

Putting it Together: Request Flow Putting it Together: Request Flow

Process

NtDeviceIoControlFile

Handle Table

File Object

Device Object

Driver Object

Dispatch Table

DispatchDeviceControl( DeviceObject, Irp )

User Mode Kernel Mode

IRP

DeviceIoControl

(10)

I/O Request Packet I/O Request Packet

Environment subsystem or

DLL

Services I/O manager

IRP header WRITE

parameters File

object

Device object

Driver object IRP stack

location

Dispatch

routine(s) Start I/O ISR DPC routine 1)An application writes

a file to the printer, passing a handle to the file object

2)The I/O manager creates an IRP and initializes first stack location

3)The I/O manager uses the driver object to locate the WRITE dispatch routine and calls it, passing the IRP

User mode Kernel mode

(11)

IRP data IRP data

IRP consists of two parts:

Fixed portion (header):

Type and size of the request Type and size of the request

Whether request is synchronous or asynchronous Whether request is synchronous or asynchronous Pointer to buffer for buffered I/O

Pointer to buffer for buffered I/O

State information (changes with progress of the request) State information (changes with progress of the request)

One or more stack locations:

Function code Function code

Function-specific parameters Function-specific parameters Pointer to caller‘s file object Pointer to caller‘s file object

While active, IRPs are stored in a thread-specific queue While active, IRPs are stored in a thread-specific queue

I/O system may free any outstanding IRPs if thread terminates I/O system may free any outstanding IRPs if thread terminates

(12)

I/O Processing – I/O Processing –

synch. I/O to a single-layered driver synch. I/O to a single-layered driver

1. 1.

The I/O request passes through a subsystem DLLThe I/O request passes through a subsystem DLL

2. 2.

The subsystem DLL calls the I/O manager‘s NtWriteFileThe subsystem DLL calls the I/O manager‘s NtWriteFile()() service service

3. 3.

I/O manager sends the request in form of an IRP to the driver (a device I/O manager sends the request in form of an IRP to the driver (a device driver)

driver)

4. 4.

The driver starts the I/O operationThe driver starts the I/O operation

5. 5.

When the device completes the operation and interrupts the CPU, the When the device completes the operation and interrupts the CPU, the device driver services the int.

device driver services the int.

6. 6.

The I/O manager completes the I/O requestThe I/O manager completes the I/O request

(13)

Completing an I/O request Completing an I/O request

Servicing an interrupt:

ISR schedules Deferred Procedure Call (

ISR schedules Deferred Procedure Call (DPCDPC); dismisses int.); dismisses int.

DPC routine starts next I/O request and completes interrupt servicingDPC routine starts next I/O request and completes interrupt servicing May call completion routine of higher-level driver

May call completion routine of higher-level driver

I/O completion:

Record the outcome of the operation in an I/O status block Record the outcome of the operation in an I/O status block Return data to the calling thread – by queuing a kernel-mode Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (

Asynchronous Procedure Call (APCAPC))

APCAPC executes in context of calling thread; copies data; frees IRP; executes in context of calling thread; copies data; frees IRP;

sets calling thread to signaled state sets calling thread to signaled state

I/O is now considered complete; waiting threads are released I/O is now considered complete; waiting threads are released

(14)

Flow of Interrupts Flow of Interrupts

Peripheral Device Controller

CPU Interrupt Controller

CPU Interrupt

Service Table 0 2 3

n

ISR Address Spin Lock

Dispatch Code

Interrupt Object

Read from device Acknowledge- Interrupt Request DPC

Driver ISR

Raise IRQL

Lower IRQL

KiInterruptDispatch

Grab Spinlock Drop Spinlock

(15)

Servicing an Interrupt:

Deferred Procedure Calls (DPCs) Deferred Procedure Calls (DPCs)

Used to defer processing from higher (device) interrupt level to a lower Used to defer processing from higher (device) interrupt level to a lower (dispatch) level

(dispatch) level

Also used for quantum end and timer expiration Also used for quantum end and timer expiration

Driver (usually ISR) queues request Driver (usually ISR) queues request

One queue per CPU. DPCs are normally queued to the current processor, but One queue per CPU. DPCs are normally queued to the current processor, but can be targeted to other CPUs

can be targeted to other CPUs

Executes specified procedure at dispatch IRQL (or “dispatch level”, also “DPC Executes specified procedure at dispatch IRQL (or “dispatch level”, also “DPC level”) when all higher-IRQL work (interrupts) completed

level”) when all higher-IRQL work (interrupts) completed Maximum times recommended: ISR: 10 usec, DPC: 25 usec Maximum times recommended: ISR: 10 usec, DPC: 25 usec

See See http://www.microsoft.com/whdc/driver/perform/mmdrv.mspxhttp://www.microsoft.com/whdc/driver/perform/mmdrv.mspx queue head DPC object DPC object DPC object

(16)

DPC

Delivering a DPC Delivering a DPC

DPC routines can call kernel functions but can‘t call system services, generate page faults, or create or wait on objects DPC routines can‘t

assume what process address space is currently mapped

Interrupt dispatch table high

Power failure

Dispatch/DPC APC

Low DPC

1. Timer expires, kernel queues DPC that will release all waiting threads Kernel requests SW int.

DPC DPC DPC queue

2. DPC interrupt occurs when IRQL drops below dispatch/DPC level

dispatcher 3. After DPC interrupt, control transfers to thread dispatcher

4. Dispatcher executes each DPC routine in DPC queue

(17)

I/O Completion:

Asynchronous Procedure Calls (APCs) Asynchronous Procedure Calls (APCs)

Execute code in context of a particular user thread Execute code in context of a particular user thread

APC routines can acquire resources (objects), incur page faults, APC routines can acquire resources (objects), incur page faults, call system services

call system services

APC queue is thread-specific APC queue is thread-specific User mode & kernel mode APCs User mode & kernel mode APCs

Permission required for user mode APCs Permission required for user mode APCs

Executive uses APCs to complete work in thread space Executive uses APCs to complete work in thread space

Wait for asynchronous I/O operation Wait for asynchronous I/O operation Emulate delivery of POSIX signals Emulate delivery of POSIX signals

Make threads suspend/terminate itself (env. subsystems) Make threads suspend/terminate itself (env. subsystems)

APCs are delivered when thread is in alertable wait state APCs are delivered when thread is in alertable wait state

WaitForMultipleObjectsEx(), SleepEx() WaitForMultipleObjectsEx(), SleepEx()

(18)

Asynchronous Procedure Calls Asynchronous Procedure Calls

(APCs) (APCs)

Special kernel APCs Special kernel APCs

Run in kernel mode, at IRQL 1 Run in kernel mode, at IRQL 1

Always deliverable unless thread is already at IRQL 1 or above Always deliverable unless thread is already at IRQL 1 or above Used for I/O completion reporting from “arbitrary thread context”

Used for I/O completion reporting from “arbitrary thread context”

Kernel-mode interface is linkable, but not documented Kernel-mode interface is linkable, but not documented

““Ordinary” kernel APCsOrdinary” kernel APCs

Always deliverable if at IRQL 0, unless explicitly disabled Always deliverable if at IRQL 0, unless explicitly disabled (disable with KeEnterCriticalRegion)

(disable with KeEnterCriticalRegion)

User mode APCs User mode APCs

Used for I/O completion callback routines (see ReadFileEx, WriteFileEx); also, Used for I/O completion callback routines (see ReadFileEx, WriteFileEx); also, QueueUserApc

QueueUserApc

Only deliverable when thread is in “alertable wait”

Thread Object

K U

APC objects

(19)

Driver Layering and Filtering Driver Layering and Filtering

To divide functionality across To divide functionality across

drivers, provide added value, etc.

Only the lowest layer talks to Only the lowest layer talks to the I/O hardware

the I/O hardware

“ “ Filter drivers” attach their Filter drivers” attach their devices to other devices devices to other devices

They see all requests first and They see all requests first and can manipulate them

can manipulate them Example filter drivers:

Example filter drivers:

File system filter driver File system filter driver Bus filter driver

Bus filter driver

Process Process

User Mode Kernel Mode

System Services System Services

I/O Manager I/O Manager File System

Driver File System

Driver

Volume Manager

Driver Volume Manager

Driver

Disk Driver Disk Driver

IRPIRP

(20)

Driver Filtering:

Volume Shadow Copy Volume Shadow Copy

New to XP/Server 2003 New to XP/Server 2003

Addresses the “backup open files” problem Addresses the “backup open files” problem Volumes can be “snapshotted”

Volumes can be “snapshotted”

Allows “hot backup” (including open files) Allows “hot backup” (including open files)

Applications can tie in with mechanism to ensure consistent snapshots Applications can tie in with mechanism to ensure consistent snapshots

Database servers flush transactions Database servers flush transactions

Windows components Windows components

such as the Registry such as the Registry

flush data files flush data files

Different snapshot providers Different snapshot providers

can implement different snapshot can implement different snapshot mechanisms:

mechanisms:

Copy-on-write Copy-on-write

Mirroring Mirroring

Volsnap is the built-in provider:

•Built into Windows XP/Server 2003

•Implements copy-on-write snapshots

•Saves volume changes in files on the volume

•Uses defrag API to determine where the file is and where paging file is to avoid tracking

(21)

Volume Shadow Copy Driver Volume Shadow

Copy Driver

(volsnap.sys) Mirror providerMirror provider Oracle

Oracle

SQLSQL Volume Shadow

Copy Service Volume Shadow

Copy Service

Backup Application

1. Backup application requests shadow copy 2. Writers told

to freeze activity

3. Providers asked to

create volume shadow copies

4. Writers told to resume (“thaw”) activity

Writers

5. Backup application saves data from volume Shadow copies

Volume Snapshots

(22)

Volsnap.sys Volsnap.sys

File System Driver

Volsnap.sys

a b c

a d b … c

Backup read of sector c

Snapshot

Backup Application Application

Shadow Volume

C:

Application read of sector c All reads of sector d

(23)

Shadow Copies of Shared Folders Shadow Copies of Shared Folders

When enabled, Server When enabled, Server

2003 uses shadow copy 2003 uses shadow copy

to periodically create to periodically create snapshots of volumes snapshots of volumes

Schedule and space used Schedule and space used

is configurable

(24)

Shadow Copies on Shared Folders Shadow Copies on Shared Folders

Shadow copies are only Shadow copies are only

exposed as network shares exposed as network shares

Clients may install an Clients may install an

Explorer extension that Explorer extension that

integrates with the file server integrates with the file server

and let’s them and let’s them

View the state of folders and View the state of folders and

files within a snapshot files within a snapshot

Rollback individual folders and Rollback individual folders and

files to a snapshot

(25)

The PnP Manager The PnP Manager

In NT 4.0 each device driver is responsible for In NT 4.0 each device driver is responsible for enumerating all supported busses in search of enumerating all supported busses in search of

devices they support devices they support

As of Windows 2000, the PnP Manager has bus As of Windows 2000, the PnP Manager has bus

drivers enumerate their busses and inform it of drivers enumerate their busses and inform it of

present devices present devices

If the device driver for a device not already If the device driver for a device not already

present on the system, the PnP Manager in the present on the system, the PnP Manager in the

kernel informs the user-mode PnP Manager to kernel informs the user-mode PnP Manager to

start the Hardware Wizard

(26)

The PnP Manager The PnP Manager

Once a device driver is located, Once a device driver is located, the PnP Manager determines if the PnP Manager determines if the driver is signed

the driver is signed If the driver If the driver

is not signed, the system’s driver is not signed, the system’s driver signing policy determines whether signing policy determines whether or not the driver is installed

or not the driver is installed

After loading a driver, the PnP Manager calls the driver’s AddDevice entry point After loading a driver, the PnP Manager calls the driver’s AddDevice entry point

The driver informs the PnP Manager of the device’s resource requirements The driver informs the PnP Manager of the device’s resource requirements The PnP Manager reconfigures other devices to accommodate the new device The PnP Manager reconfigures other devices to accommodate the new device

(27)

The PnP Manager The PnP Manager

Enumeration is recursive, and directed by bus drivers Enumeration is recursive, and directed by bus drivers

Bus drivers identify device on a bus Bus drivers identify device on a bus

As busses and devices are registered, a device tree is constructed, As busses and devices are registered, a device tree is constructed, and filled in with devices

and filled in with devices

ACPI PCI

Video Disk USB

Key- board

Battery

Device Tree

(28)

Resource Arbitration Resource Arbitration

Devices require system hardware resources to function (e.g. IRQs, Devices require system hardware resources to function (e.g. IRQs, I/O ports)

I/O ports)

The PnP Manager keeps track of hardware resource assignments The PnP Manager keeps track of hardware resource assignments If a device requires a resource that’s already been assigned, the If a device requires a resource that’s already been assigned, the PnP Manager tries to reassign resources in order to accommodate PnP Manager tries to reassign resources in order to accommodate Example:

Example:

1. 1.

Device 1 can use IRQ 5 or IRQ 6Device 1 can use IRQ 5 or IRQ 6

2. 2.

PnP Manager assigns it IRQ 5PnP Manager assigns it IRQ 5

3. 3.

Device 2 can only use IRQ 5Device 2 can only use IRQ 5

4. 4.

PnP Manager reassigns Device 1 IRQ 6PnP Manager reassigns Device 1 IRQ 6

5. 5.

PnP Manager assigns Device 2 IRQ 5PnP Manager assigns Device 2 IRQ 5

(29)

Plug and Play (PnP) State Transitions Plug and Play (PnP) State Transitions

PnP manager recognizes hardware, allocates resources, loads PnP manager recognizes hardware, allocates resources, loads

driver, notifies about config. changes driver, notifies about config. changes

Not started

Started

Pending stop

Stopped

Pending remove

Surprise remove

Removed

Start-device command

Query-stop command

Stop command

Query-remove command

Surprise-remove command

Remove command

(30)

The Power Manager The Power Manager

A system must have an ACPI-compliant BIOS for full compatibility (APM A system must have an ACPI-compliant BIOS for full compatibility (APM gives limited power support)

gives limited power support)

A number of factors guide the Power Manager’s decision to change power A number of factors guide the Power Manager’s decision to change power state:

state:

System activity level System activity level System battery level System battery level

Shutdown, hibernate, or sleep requests from Shutdown, hibernate, or sleep requests from applications

applications

User actions, such as pressing the power button User actions, such as pressing the power button Control Panel power settings

Control Panel power settings

The system can go into low power modes, The system can go into low power modes, but it requires the cooperation of every but it requires the cooperation of every

device driver - applications can provide their input as well device driver - applications can provide their input as well

(31)

The Power Manager The Power Manager

There are different system power states:

OnOn

Everything is fully on Everything is fully on Standby

Standby

Intermediate states Intermediate states

Lower standby states must consume less power than higher ones Lower standby states must consume less power than higher ones Hibernating

Hibernating

Save memory to disk in a file called hiberfil.sys in the root directory of the system Save memory to disk in a file called hiberfil.sys in the root directory of the system volume

volume OffOff

All devices are off All devices are off

Device drivers manage their own power level Device drivers manage their own power level

Only a driver knows the capabilities of their device Only a driver knows the capabilities of their device

Some devices only have “on” and “off”, others have intermediate states Some devices only have “on” and “off”, others have intermediate states Drivers can control their own power independently of system power Drivers can control their own power independently of system power

Display can dim, disk spin down, etc.

(32)

Power Manager Power Manager

based on the Advanced Configuration and Power Interface (ACPI) based on the Advanced Configuration and Power Interface (ACPI)

State

State Power ConsumptionPower Consumption Software ResumptionSoftware Resumption HW LatencyHW Latency S0 (fully on)

S0 (fully on) MaximumMaximum Not applicableNot applicable NoneNone S1 (sleeping)

S1 (sleeping) Less than S0,Less than S0, more than S2

more than S2 System resumes where it left System resumes where it left off (returns to S0)

off (returns to S0) Less than 2 Less than 2 sec.sec.

S2 (sleeping)

S2 (sleeping) Less than S1,Less than S1, more than S3

more than S3 System resumes where it left System resumes where it left off (returns to S0)

off (returns to S0) 2 or more 2 or more sec.sec.

S3 (sleeping)

S3 (sleeping) Less than S2,Less than S2, processor is off

processor is off System resumes where it left System resumes where it left off (returns to S0)

off (returns to S0) Same as S2Same as S2 S4 (sleeping)

S4 (sleeping) Trickle current to power Trickle current to power button and wake

button and wake circuitry

circuitry

System restarts from System restarts from

hibernate file and resumes hibernate file and resumes where it left off (returns to S0) where it left off (returns to S0)

Long and Long and undefined undefined S5 (fully off)

S5 (fully off) Trickle current to Trickle current to power button

power button System bootSystem boot Long and Long and undefined undefined

(33)

Troubleshooting I/O Activity Troubleshooting I/O Activity

Filemon can be a great help to understand and troubleshooting I/O Filemon can be a great help to understand and troubleshooting I/O problems

problems

Two basic techniques:

Go to end of log and look backwards to where problem occurred or is Go to end of log and look backwards to where problem occurred or is evident and focused on the last things done

evident and focused on the last things done Compare a good log with a bad log

Compare a good log with a bad log

Often comparing the I/O activity of a failing process with one that works Often comparing the I/O activity of a failing process with one that works may point to the problem

may point to the problem

Have to first massage log file to remove data that differs run to run Have to first massage log file to remove data that differs run to run

Delete first 3 columns (they are always different: line #, time, process Delete first 3 columns (they are always different: line #, time, process id)id)

Easy to do with Excel by deleting columns Easy to do with Excel by deleting columns

Then compare with FC (built in tool) or Windiff (Resource Kit) Then compare with FC (built in tool) or Windiff (Resource Kit)

(34)

Filemon Filemon

# - operation number

Process: image name + process id Process: image name + process id Request: internal I/O request code Request: internal I/O request code

Result: return code from I/O operation Result: return code from I/O operation

Other: flags passed on I/O request

(35)

Using Filemon Using Filemon

Start/stop logging (Control/E) Start/stop logging (Control/E) Clear display (Control/X)

Clear display (Control/X)

Open Explorer window to folder containing file:

Double click on a line does this Double click on a line does this

Find – finds text within window Find – finds text within window Save to log file

Save to log file

Advanced mode

Network option

(36)

What Filemon Monitors What Filemon Monitors

By default Filemon traces all file I/O to:

Local non-removable media Local non-removable media Network shares

Network shares

Stores all output in listview Stores all output in listview

Can exhaust virtual memory in long Can exhaust virtual memory in long runsruns

You can limit captured data with history You can limit captured data with history depth

depth

You can limit what is monitored:

What volumes to watch in Volumes menu What volumes to watch in Volumes menu

What paths and processes to watch in Filter dialog What paths and processes to watch in Filter dialog

What operations to watch in Filter dialog (reads, writes, successes What operations to watch in Filter dialog (reads, writes, successes and errors)

and errors)

(37)

Filemon Filtering and Highlighting Filemon Filtering and Highlighting

Include and exclude filters are substring matches against Include and exclude filters are substring matches against the process and path columns

the process and path columns

Exclude overrides include filter Exclude overrides include filter

Be careful that you don’t exclude potentially useful data Be careful that you don’t exclude potentially useful data

Capture everything and save the log Capture everything and save the log

Then apply filters (you can always reload the log) Then apply filters (you can always reload the log)

Highlight matches all columns

(38)

Basic vs Advanced Mode Basic vs Advanced Mode

Basic mode massages output to be sysadmin- Basic mode massages output to be sysadmin-

friendly and target common troubleshooting friendly and target common troubleshooting

Things you don’t see in Basic mode:

Raw I/O request names Raw I/O request names

Various internal file system operations Various internal file system operations

Activity in the System process Activity in the System process

Page file I/O Page file I/O

Filemon file system activity

(39)

Understanding Disk Activity Understanding Disk Activity

Use Filemon to see why you’re hard disk is crunching Use Filemon to see why you’re hard disk is crunching

Process performance counters show I/O activity, but not to where Process performance counters show I/O activity, but not to where

System performance counters show which disks are being hit, but System performance counters show which disks are being hit, but

not which files or which process not which files or which process

Filemon pinpoints which file(s) are being accessed, by whom, and Filemon pinpoints which file(s) are being accessed, by whom, and

how frequently how frequently

You can also use Filemon on a server to determine which You can also use Filemon on a server to determine which

file(s) were being accessed most frequently file(s) were being accessed most frequently

Import into Excel and make a pie chart by file name or operation Import into Excel and make a pie chart by file name or operation type type

Move heavy-access files to a different disk on a different controller

(40)

Polling and File Change Notification Polling and File Change Notification

Many applications respond to file and directory changes Many applications respond to file and directory changes

A poorly written application will “poll” for changes A poorly written application will “poll” for changes

A well-written application will request notification by the system of A well-written application will request notification by the system of changes

changes

Polling for changes causes performance degradation Polling for changes causes performance degradation

Context switches including TLB flush Context switches including TLB flush Cache invalidation

Cache invalidation

Physical memory usage Physical memory usage CPU usage

CPU usage

Alternative: file change notification Alternative: file change notification

When you run Filemon on an idle system you should only see When you run Filemon on an idle system you should only see bursty system background activity

bursty system background activity

Polling is visible as periodic accesses to the same files and directories Polling is visible as periodic accesses to the same files and directories File change notification is visible as directory queries that have no File change notification is visible as directory queries that have no result

result

(41)

Example: Word Crash Example: Word Crash

While typing in the document Word XP would While typing in the document Word XP would

intermittently close without any error intermittently close without any error

message message

To troubleshoot ran Filemon on user’s To troubleshoot ran Filemon on user’s

system system

Set the history depth to 10,000 Set the history depth to 10,000

Asked user to send Filemon log when Word Asked user to send Filemon log when Word

exited

(42)

Solution: Word Crash Solution: Word Crash

Working backwards, the first “strange” or Working backwards, the first “strange” or

unexplainable behavior are the constant reads unexplainable behavior are the constant reads

past end of file to MSSP3ES.LEX past end of file to MSSP3ES.LEX

User looked up what .LEX file was User looked up what .LEX file was

Related to Word proofing tools Related to Word proofing tools

Uninstalled and reinstalled proofing tools & problem Uninstalled and reinstalled proofing tools & problem

went away

(43)

Example: Useless Excel Error Example: Useless Excel Error

Message Message

Excel reports an error “Unable to read Excel reports an error “Unable to read

file" when starting

(44)