Analysis of memory counters in Windows

Analysis of memory counters in Windows
Article category: Operating System

Preface
Memory usage is one of the important factors in the system performance. Frequent page swapping and Memory leakage will affect the system performance. This article describes some memory concepts, counter meanings, and possible performance bottlenecks.

Concepts

① "Page switching" refers to the process of moving code and data blocks of a fixed size from Ram to a disk using a unit called "page", in order to release memory space.
② Each Windows Process has 4 GB of virtual address space. In a multitasking environment, the total memory used by all processes can exceed the physical memory.
③ Some of the processes may be deleted from the physical memory and saved to the hard disk file (pagefile ). When a process tries to access the memory exchanged to pagefile, the system will generate a page fault ), at this time, the Windows Memory Manager is responsible for re-transferring the corresponding memory page from the hard disk to the physical memory.
④ The term used to describe virtual page subsets in physical memory is called a working set, also called a resident set. There are three types of working sets: Process Working sets, system working sets, and session working sets. (For specific concepts, refer to the counters below)
⑤ Non-page feed pool: it consists of some virtual address ranges that can always reside in the physical memory. Because these address ranges always reside in the memory, therefore, you can access them at any time without causing page errors.
⑥ Page feed pool: A segment of virtual memory in the system space, which can be swapped in and out of the system. Both memory pools are located in the system address space and mapped to the virtual address space of each process.
7. Shared Memory: Memory visible to multiple processes, or memory that appears in the virtual address space of multiple processes. For example, if two processes use the same DLL, you only need to load the code page that references the DLL to the physical memory once, and then all the processes mapped to the DLL share these pages.
Memory MDL (memory descr extends ptor list) is a struct used to describe all physical memory pages in a memory area.

Possible performance problems

1. Memory \ page reads/sec is too high and continues to exceed 5.
Too many page swapping requires a lot of hard disk space, which can easily lead to confusion between insufficient Page Swap memory and the disk bottle diameter that leads to Page Swap. In this case, we need to track the following disk usage counters and memory counters when studying the causes of page exchanges with less obvious memory limitations: physical disk \ % disk Time, physical disk \ avg. disk queue length, memory \ page reads/sec
① If memory \ page reads/sec is relatively low, but physical disk \ % disk Time and physical disk \ avg. Disk queue length counter is very high, it indicates that the disk has a bottleneck.
② If the length of the physical disk \ avg. Disk queue increases, but the memory \ page reads/sec does not decrease, it indicates there is a memory bottleneck.

2. Memory leakage
If memory leakage is suspected, monitor memory \ available bytes and memory \ committed bytes to observe memory behavior, and monitors the Process \ private bytes, Process \ working set, and process \ handle count (handle leakage) of processes that may leak memory ).
If a kernel-mode process is suspected to cause leakage, you should also monitor memory \ pool paged bytes and Process \ pool paged bytes. (What is the difference between memory \ pool paged bytes and Process \ pool nonpaged bytes ).
You can use the poolmon tool to view detailed usage of the non-page feed pool and page feed pool.
Note: I just want to mention it here.

Understanding and description of each counter

1. Process \ Working Set
Meaning:
The process working set is the part of the virtual address space in the physical memory. Contains pages referenced by various threads in a process, that is, Mem usage in task manager.
Analysis:
Since each process worker set contains a shared page, the value of Process \ Working Set (_ total) is greater than the actual total process memory usage.

2. Process \ private bytes
Meaning:
The total number of private virtual memory allocated, that is, the amount of private and committed virtual memory used. That is, the VM Size in task manager.
Analysis:
Memory leakage occurs when the private virtual memory increases, rather than the working set size increases. At a certain point, the memory manager will prevent a process from increasing the physical memory size, but it can continue to increase its virtual memory size.

3. Memory \ available Mbytes (available bytes, available Kbytes)
Meaning:
Available Mbytes refers to the amount of available physical memory in MB, which can be immediately allocated to a process or system. It is the total size of the idle list, zero list, and backup list.
Analysis:
At least 10% of the physical memory is required. The minimum value is 4 MB.
Page Status:
Standby: The page originally belongs to a working set, but is now deleted. This page has not been modified since it was last written to a disk. The PTE (page table entry) still points to this physical page, but it is marked as invalid and is being transferred.
Idle: the page is idle, but it contains unspecified dirty data. (Zero Initialization is required; otherwise, it cannot be handed over to the user process)
Zero: the page is idle and has been initialized to zero by the zero page thread.

4. Memory \ page faults/sec
Meaning:
Page faults/sec is the average number of error pages per second. Because there is only one page error in each error operation, the calculation unit is the number of error pages per second, which is equal to the number of page error operations. This counter includes hard errors (those requiring disk access) and soft errors (error pages found elsewhere in the physical memory ). Many processors can continue to operate in the case of a large number of soft errors. However, hard errors can cause significant delays because you need to access the disk.

5. Memory \ page reads/sec
Meaning:
Page reads/sec is the number of times a disk is read to parse hard page errors. It displays the number of read operations, regardless of the number of pages for each operation. A hard page error occurs when a process references a page with a virtual memory located outside the working set or other locations with the physical memory and the page must be retrieved from the disk. This counter is the main indicator that causes system latency. It contains read operations to meet the file system cache (usually requested by applications) and non-Cache ing memory file errors. Compare the memory value \ pagesreads/sec and memory value \ pagesinput/sec to determine the average number of pages read by each operation.
Meaning:
Page hard fault, a subset of page/sec, is the number of times read from the hard disk to solve the hard error.
Analysis:
The threshold value is greater than 5. The lower the threshold, the better. A large value indicates disk read rather than cache read. If the value is greater than 5, it indicates that the memory Read Request experienced a large number of page faults ).
It indicates that the working set of the process is not enough. The hard disk is used for virtual memory. Here is the number of reads and does not care about the number of pages read. A large value indicates a memory bottleneck.

6. Memory \ page writes/sec
Meaning:
Page writes/sec refers to the speed at which pages are written to disks to release physical memory space. Only the changes made when the page is still in the physical memory will be written to the disk. Therefore, these pages may only retain data rather than code. This counter shows the write operation and does not count the number of pages written in each operation.

7. Memory \ pages input/sec
Meaning:
Pages input/sec is the number of pages read from the disk by parsing hard page errors. A hard page error occurs when a process references a page with a virtual memory located outside the working set or other locations with the physical memory and the page must be retrieved from the disk. When an error occurs at night, the system tries to read multiple consecutive pages into the memory to take full advantage of the read operation. Compare the values of memory \ pages input/sec with those of memory \ page reads/sec to determine the average number of pages read from memory by each read operation.

8. Memory \ pages output/sec
Meaning:
Pages output/sec refers to the number of pages written to the disk to release the physical memory space. The page is written back to the disk only when the physical memory is changed. Therefore, the page may only retain data rather than code. High-speed page output may indicate insufficient memory. When the physical memory is insufficient, Windows writes the page back to the disk to free up space.

9. Memory \ page/sec
Meaning:
Pages/sec refers to the number of pages that are read from or written to the disk to solve the hard page error. This counter is the main indicator that can display the type error that causes system range delay. It is the sum of memory \ pages input/sec and memory \ pages output/sec. The number of pages is calculated so that it can be compared with other page counts such as memory \ page faults/sec without conversion, this value includes pages retrieved from non-Cache ing memory files cached by the File System (usually requested by applications) to meet errors.
Analysis:
Generally, if pages/sec continues to exceed several hundred, you should study the page exchange activity further. You may need to increase the memory to reduce the page feed requirement (you can multiply this number by 4 K to get the hard disk data traffic caused by this ). A large value of pages/sec does not necessarily indicate memory problems, but may be caused by running programs that use memory ing files.

10. Memory \ % committed bytes in use
Meaning:
% Committed bytes in use is the ratio between memory \ committed bytes and memory \ commit limit. Committed memory is the physical memory used to reserve space in the page file. Commit limit is determined by the size of the page file. If the page file is expanded, the proportion will be reduced.

※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※ ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※

11. Memory \ committed bytes
Meaning:
Committed bytes refers to the number of committed (not reserved) Virtual Memory bytes. This number does not necessarily represent the page file usage, because it contains private commit pages that have never been swapped out in the physical memory. Of course, if a process is completely non-resident, it indicates the number of page files used.
Current commit charge ). For the usage of page files, see counter: Paging file \ % usage.
Original article:
Number of bytes of virtual (not reserved) memory that has been committed. this number doesn' t necessarily represent page file usage because it provided des private committed pages in physical memory that have never been paged out. rather, it represents the amount of page file space that wocould be used if the process was completely made nonresident.
Analysis:
The memory allocation of NT adopts two steps. First, a segment of space is reserved in the virtual address space. At this time, the operating system does not allocate physical memory, but retains a segment of address. Then, submit the space and the operating system will allocate physical memory.
Windows Address Space has three states. One is commited, indicating that the address space has been associated with a piece of memory; the other is reserved, indicating that the address space may be used in the future even though it is not associated with a piece of memory, the address space needs to be retained; the other is free, indicating that the address space is not associated with the memory.

12. Memory \ commit limit
Meaning:
Commit limit refers to the number of virtual memory bytes that can be submitted without the need to expand page files.
Original article:
Number of bytes of virtual memory that can be committed without having to extend the paging files; if the paging files can be extended, this limit is not hard.
To use a reserved region of address space, you must allocate physical storage and then map this storage to the reserved region. This process is called committing physical storage. Physical storage is always committed in pages.

※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※ ※※※※※※※※※※※※※※※※※※※※※※※※※※※

13. Memory \ pool nonpaged allocs
Meaning:
Pool nonpaged allocs refers to the number of calls to allocate space in the SWAp page pool. It calculates the number of calls to the allocated space, regardless of the number of space allocated in each call.
Original article:
Shows the number of callto allocate space in the nonpaged pool. This counter is measured in numbers of callto allocate space, regardless of the amount of space allocated in each call.
Analysis:
It has increased by more than 10% since the system was started. If yes, it indicates a potential serious bottleneck.
Observe the Server \ pool nonpaged failures, the number of times the page pool allocation fails. Non-zero indicates that the physical memory of the computer is too small.

14. Memory \ pool nonpaged bytes
Meaning:
Pool nonpaged bytes refers to the number of bytes in the non-page feed pool, and the non-page feed pool refers to the system memory (the physical memory used by the operating system) available objects (objects that cannot be written to the disk when they are not in use and must be kept in the physical memory as long as they are distributed.
Question: How does memory \ pool nonpaged Bytes Count differ from Process \ pool nonpaged Bytes Count.
Meaning:
The current size of the non-page feed pool, that is, the kernel memory → nonpaged in task manager.

15. Memory \ pool paged allocs
Meaning:
Pool paged allocs refers to the number of calls to allocate space in the page feed pool. It calculates the number of calls to allocate space, regardless of the number of space allocated in each call.
Original article:
Shows the number of callto allocate space in the paged pool. This counter is measured in numbers of callto allocate space, regardless of the amount of space allocated in each call.

16. Memory \ pool paged bytes
Meaning:
Pool paged bytes refers to the number of bytes in the page feed pool. The page feed pool is available for objects in the system memory (the physical memory used by the operating system) (which can be written to the disk when not in use) A region.
Question: How does memory \ pool paged Bytes Count differently from Process \ pool paged bytes.
Meaning:
The current virtual size of the page feed pool, that is, the kernel memory → paged virtual in task manager.
For the current physical (resident) Size of the page feed pool, see counter memory \ poll paged resident bytes.
Analysis:
You also need to observe the Server \ pool paged failures, the number of times the page pool allocation fails. Non-zero indicates that the physical memory or page file of the computer is too small.

※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※ ※※※※※※※※※※※※※※※※※※※※※※

17. Memory \ cache bytes
Meaning:
The total size of the system working set, which includes the following code or the part of the data residing in the memory: System slow memory swap memory pool swap system code (ntoskrnl.exe and driver) and system ing view.
Analysis:
Literally, it only refers to the system cache.
Cache bytes memory \ system cache resident bytes, memory \ System driver resident bytes, memory \ System Code resident bytes and memory \ pool paged resident bytes.

18. Memory \ cache bytes peak
Meaning:
Cache bytes peak is the maximum number of bytes used by the file system cache after the system is started. This may be larger than the current cache volume. This counter only displays the value observed last time; it is not an average value.
Original article:
Shows the maximum number of bytes used by the file system cache since the system was last started. This might be larger than the current size of the cache.

19. Memory \ cache faults/sec
Meaning:
Cache faults/sec indicates that the page to be searched cannot be found in the file system cache and needs to be retrieved from other places in memory (soft errors) or from disk (hard errors) the speed at which other retrieval errors occur. File System cache activity is a reliable indication for most application IP operations
. This counter displays the number of errors regardless of the number of pages in each operation.
Original article:
Shows the rate, in incidents per second, at which faults occured when a page that was sought in the file system cache was not found and was be retrieved either from elsewhere in memory (A Soft Fault) or from disk (a hard fault ). this counter shows the total number of faults, without regard for the number of pages faulted in each operation.
Analysis:
The number of times the file system cache has not hit the data. This value should be as low as possible. A large value indicates a shortage of memory and a low cache hit.
At the same time, observe the cache \ MDL read hits %. MDL read hits refers to the percentage of cache hit requests sent from memory descr extends ptor list to the file system cache. For example: memory access can be provided for pages in the cache without disk access.
The larger the value (close to 100%), the better the file system cache effect.

20. Memory \ demand zero faults/sec
Meaning:
Demand zero faults/sec uses zero pages to compensate for the average speed of paging errors. This counter shows the difference between the last two reserved Sampling Values, divided by the sampling interval. A zero page is a security function of Windows NT that clears the previous data and then fills the page with zero. This prevents leakage of previous data. This counter displays the number of errors, rather than the number of re-retrieved pages.
Original article:
Shows the average rate, in incidents per second, at which page faults required a zeroed page to satisfy the fault. this counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. zeroed pages (pages emptied of previusly stored data and filled with zeroes) prevent processes from seeing data stored by earlier processes that used the same memory space. this counter displays the number of faults, without regard to the number of pages retrieved to satisfy the fault.

21. Memory \ free system page table entries
Meaning:
Free system page table entries is a page table project that is not used by the system. This Count value only shows the previous value, not an average value.
Original article:
Shows the number of page table entries not in use by the system.

22. Memory \ pool paged resident bytes
Meaning:
The physical memory used by the page feed pool, that is, the kernel memory → paged physical in the task manager.

23. Memory \ system cache resident bytes
Meaning:
System cache resident bytes is the size of the operating system code in which the file system cache can be paged. This value only includes the current physical page, not the currently unused Virtual Memory Page. It is not equal to the system cache value displayed on the task manager. Therefore, this value is smaller than the actual virtual memory used by the file system cache. This value is the memory \ System Code resident bytes component, which represents all the page-breaking operating system code in the current physical memory.
Original article:
Shows the size, in bytes, of pageable operating system code in the file system cache. this value provided des only current physical pages and does not include any virtual memory pages that are not currently resident. it does not equal the system cache value shown in task manager. as a result, this value may be smaller than the actual amount of virtual memory in use by the file system cache. this value is a component of system code resident bytes that represents all pageable operating system code that is currently in physical memory.
Meaning:
The physical memory used by the system cache.

24. Memory \ System Code resident bytes
Meaning:
System Code resident bytes is the size of the bytes of the operating system code in the physical memory. This physical memory can be written to the disk if it is not in use. This value is a component of memory \ System Code Total Bytes. It also includes the operating system code on the disk. Memory \ System Code resident bytes (and memory \ System Code total bytes) does not include code that must be left in the physical memory and cannot be written to the disk.
Original article:
Shows the size, in bytes, of Operating System Code currently in physical memory that can be written to disk when not in use. this value is a component of system code Total Bytes, which also includes operating system code on disk. system Code resident bytes (and system code total bytes) does not include code that must remain in physical memory.
Meaning:
The physical memory used by ntoskrnl.exe for paging code.

25. Memory \ System Code Total Bytes
Meaning:
System Code Total Bytes indicates the number of bytes of the operating system code that can be paged in the virtual memory. This is used to measure the amount of physical memory that can be written to the disk when not in use. This value is obtained by adding the number of bytes in the ntoskrnl.exe, Hal. dll, start drive, and file system loaded with ntldr/osloader. This counter does not include code that must be retained in the physical memory and cannot be written to the disk.
Original article:
Shows the size, in bytes, of pageable Operating System Code currently in virtual memory. it is a measure of the amount of physical memory being used by the operating system that can be written to disk when not in use. this value is calculated by adding the bytes in ntoskrnl.exe, Hal. DLL, the boot drivers, and file systems loaded by ntldr/osloader. this counter does not include code that must remain in physical memory.

26. Memory \ System driver resident bytes
Meaning:
System driver resident bytes indicates the number of bytes of physical memory currently used by the device driver. It is the working set of the driver (physical memory area ). The value is memory \ System driver Total Bytes (including the drivers that can be written to the disk ).
Memory. Both system driver resident bytes and system driver Total Bytes contain physical memory that cannot be written to the disk.
Original article:
Shows the size, in bytes, of pageable physical memory being used by device drivers. the counter is the working set (physical memory area) of the drivers. this value is a component of system driver Total Bytes, which also includes driver memory that has been written to disk. neither system driver resident bytes nor system driver Total Bytes memory des memory that cannot be written to disk.
Meaning:
The physical memory used by the device driver code that can be paged.

27. Memory \ System driver Total Bytes
Meaning:
System driver Total Bytes indicates the number of bytes of the virtual memory that the device driver currently uses. When not in use, the page feed memory can be written to the disk. It includes the physical memory (memory \ System driver resident bytes), code, and data written to the disk. It is a component of memory \ System Code Total Bytes.
Original article:
Shows the size, in bytes, of pageable virtual memory currently being used by device drivers. pageable memory can be written to disk when it is not being used. it hosts des physical memory (system driver resident bytes) and Code and data written to disk. this counter is a component of system code total bytes.

28. Memory \ transition faults/sec
Meaning:
Transition faults/sec solves the page error speed by restoring the page without running an additional disk. Page errors include that the page is being used by another process that shares the page, the modified page list, the standby list, or the page is being written to the disk when a page error occurs. This technician is equal to the number of error pages because each operation has only one page error.
Original article:
Shows the rate, in incidents per second, at which page faults were resolved by recovering pages without additional disk activity, including pages that were being used by another process sharing the page, or that were on the modified page list or the standby list, or that were being written to disk at the time of the page fault. this counter is also equal to the number of pages faulted because only one page is faulted in each operation.
Analysis:
If this indicator remains high, it indicates a memory bottleneck. You should consider increasing the memory.

29. Memory \ write copies/sec
Meaning:
Write copies/sec indicates the speed at which page errors are caused by writing attempts by copying pages from other locations in the physical memory. Because the page is copied only when it is written, this is a practical way to share data. In addition, this page is shared. This counter displays the number of copies, regardless of the number of pages copied during each operation.
Original article:
Shows the rate, in incidents per second, at which page faults were caused by attempts to write that were satisfied by copying the page from elsewhere in physical memory. this is an economic mical way of sharing data since pages are only copied when they are written to; otherwise, the page is shared. this counter shows the number of copies, without regard to the number of pages copied in each operation.
Analysis:
Is the ratio of replication errors during writing. When writing, the copy page protection mechanism is optimized, and the memory manager can use it to save memory.
For example, two processes are sharing three pages, and each page is marked as write-time replication. When any thread of one process performs write operations on one page, A memory management error occurs. The memory manager does not report this error as an access violation. Instead, it allocates a new read/write page in the physical memory and copies the content on the original page to the new page, at the same time, the page ing information corresponding to the process is updated to point to the new page location, and then the exception is removed, so as to continue the write command just now. The write operation is successful. The newly copied page is private to the write operation Execution Process and invisible to other processes.

Descending Order
I refer to "in-depth analysis of Windows operating system" and some online materials, through my understanding, formed the above, what are the shortcomings, please submit.

From: http://www.51testing.com /? 27242/action_viewspace_itemid_82112.html