Windows-------------two weeks 2016-09-02

Problem Description: The Explorer has been reading IO at a regular rate of 38.8k (at a peak of 77.5k) and the number of reads 94/s. The result is a CPU core time that has been occupied, causing page faults. There is no memory change, indicating that it has not read the required data. A constant page error means that it is not reading the actual physical device, but reading the two pages.

Problem Analysis: Initiating a request-----not working Set----cause page fault----kernel trap gate----1. For hard fault, visit page backing store;2. Soft, no access-----added to WS

The thread loops the request because the page cannot be loaded. So the simplest and most brutal way is to turn off the thread.

The suspect threads are as follows:

1492 stobject.dll! Csystray::systraythreadproc
ntkrnlpa.exe! kiswapcontext+0x2f
ntkrnlpa.exe! kiswapthread+0x8a
ntkrnlpa.exe! Kewaitforsingleobject+0x1c2
ntkrnlpa.exe! kisuspendthread+0x18
ntkrnlpa.exe! kideliverapc+0x124
ntkrnlpa.exe! Kiswapthread+0xa8
ntkrnlpa.exe! Kewaitforsingleobject+0x1c2
win32k.sys!xxxsleepthread+0x192
win32k.sys!xxxrealinternalgetmessage+0x418
win32k.sys! Ntusergetmessage+0x27
ntkrnlpa.exe! Kifastcallentry+0xfc
ntdll.dll! Kifastsystemcallret
user32.dll! Ntusergetmessage+0xc
stobject.dll! systraymain+0x180
stobject.dll! csystray::systraythreadproc+0x4f
kernel32.dll! Basethreadstart+0x37

1424 5 shlwapi.dll! Wrapperthreadproc
ntkrnlpa.exe! kiswapcontext+0x2f
ntkrnlpa.exe! kiswapthread+0x8a
ntkrnlpa.exe! Kewaitforsingleobject+0x1c2
ntkrnlpa.exe! kisuspendthread+0x18
ntkrnlpa.exe! kideliverapc+0x124
ntkrnlpa.exe! Kiswapthread+0xa8
ntkrnlpa.exe! Kewaitforsingleobject+0x1c2
win32k.sys!xxxsleepthread+0x192
win32k.sys!xxxrealwaitmessageex+0x12
win32k.sys! ntuserwaitmessage+0x14
ntkrnlpa.exe! Kifastcallentry+0xfc
ntdll.dll! Kifastsystemcallret
user32.dll! Ntuserwaitmessage+0xc
explorer.exe! Ctray::mainthreadproc+0x29
shlwapi.dll! wrapperthreadproc+0x94
kernel32.dll! Basethreadstart+0x37

1604 1 browseui.dll! Browserprotectedthreadproc

Learning materials

Working set:the amount of memory in a given time interval,effective use of caches. The working set strategy prevents thrashing while keeping the degree of multiprogramming as high as possible. Thus It optimizes CPU utilization and throughput.

WS can be divided from data and code, and from share to private.

WS Features: Location via TLB, pageable, without Address windowing Extensions (AWE) and large page allocations. Related functions Getprocessmemoryinfo, Get (Set) Processworkingsetsizeex, Emptyworkingset, Virtualunlock, UnmapViewOfFile. A function queryworkingset is also found in psapi.h, which returns the property and location of each page in WS. The normal operation of it is the memory manager of the system. When the working set is discarded by all processes, it enters the transition page state, waiting to be used with emphasis.

Read the results through the tool (E:\book\0code\working-set) as follows (not yet perfected, to be continued)

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/86/C3/wKiom1fJjM6w1C55AAA2XkydlJE459.jpg "title=" 660. JPG "alt=" Wkiom1fjjm6w1c55aaa2xkydlje459.jpg "/>

Process

Process in addition to their own structure, subsystem part Csrss.exe/win32k.sys in the user and the kernel to maintain the corresponding structure: csr_process, w32process. Reference link http://forum.sysinternals.com/topic15457.html

Windows-------------two weeks 2016-09-02