Volume 6, Number 1

  • Article

**********************************************************
THE SYSINTERNALS NEWSLETTER
https://www.sysinternals.com
Copyright (C) 2004 Mark Russinovich
**********************************************************

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
*SPECIAL ANNOUNCEMENT ISSUE

The lack of a recent newsletter has probably got you thinking that the list
is broken or that I've stopped writing them, but the reason is that David
Solomon and I have been hard at work on the next edition of "Inside Windows
2000". It's entitled, "Windows Internals" and will cover Windows 2000,
Windows XP, and Server 2003. We've made good progress and expect to have the
manuscript complete in August for publication in October. In addition to
reflecting changes to the OS, we've also expanded coverage in many areas,
including security, crash dump analysis, startup and more. Look for
resumption of regular newsletters once we've finished. That said, I've
included a Process Explorer tip that I think you'll find useful.

*USING PROCESS EXPLORER TO TRACK CPU USAGE
If you frequent Sysinternals, then you've seen Process Explorer gain major
enhancements in the last six months. Several make understanding a system's
CPU usage much easier than it is with Task Manager. In Task Manager, for
example, even processes consuming no CPU have text in the CPU column ("00"),
which makes it difficult to distinguish them from processes using CPU. Task
Manager also rounds CPU usage to the nearest whole number, which can hide or
misrepresent CPU usage. If a process is active every now and then, but
consuming less than 1% of CPU, it may still show up as "00". Finally, Task
Manager attributes any CPU time used by interrupt processing to the "System
Idle Process", making it impossible for you to identify a buggy driver or
hardware that's making your machine sluggish.

Process Explorer makes it easy to see which processes are using CPU at a
glance because it only displays numbers for those with non-zero CPU usage
and its option to view fractional CPU more accurately displays CPU usage. It
also shows interrupt (hardware interrupt) and deferred procedure call (DPCs
- software interrupt) activity as pseudo-processes.

However, even with fractional CPU there are almost always processes that are
consuming your CPU, but not shown as doing so. The reason for that is due to
the way that Windows does its time accounting. Periodically (every 10 ms on
most systems) a clock interrupt fires. In response the Windows clock
interrupt routine executes and assumes that whatever thread is currently
running is the one that's used the CPU since the last clock interrupt. 10 ms
is a long time on today's multigigahertz CPUs and many threads can execute
between clock interrupts, but never be seen by the clock interrupt routine.

Another way to determine process execution, therefore, is to examine the
number of context switches that the threads in a process have incurred. When
a thread is selected to run (scheduled), its context switch count is
incremented.. You can see the total number of context switches that have
occurred in each process by adding the Context Switch column (click on
View->Select Columns). But a more interesting number is the Context Switch
Delta column. This displays the number of context switches that have occur
in each process in between Process Explorer's refresh interval (which by
default is 1 second).

So, for a very different view of process activity on your system, add the
Context Switch Delta column and sort by it. You will see many processes with
threads that are running that do not show up as consuming any CPU time,
because the threads are running in between the 10ms clock interval. Some of
these processes are performing needless polling (such as querying the
registry or checking for changes in a folder). That is just plain sloppy
programming. Others may be performing useful work, but are running "under
the radar" of the system's time accounting mechanisms. It's your job to
determine the wheat from the chaff.

Download Process Explorer at
https://www.sysinternals.com/ntw2k/freeware/procexp.shtml.

*MARK SPEAKING ON LINUX/WINDOWS KERNEL COMPARISON, PROCESS EXPLORER AND BOOT
TROUBLESHOOTING AT TECHED

Come see me speak at either Microsoft TechEd US and Europe, where one of my
sessions, "Windows and Linux: A Tale of Two Kernels", compares the current
Linux kernel and Windows kernels. At TechEd US I'm also presenting "Advanced
Windows Troubleshooting with Sysinternals Process Explorer", where I'll give
you tips on getting the most from Process Explorer. At TechEd Europe my
"Effective Windows Troubleshooting with the Sysinternals Tools" shows the
use of Process Explorer, Regmon and Filemon to solve real-world problems,
and "Troubleshooting Windows Boot and Startup" teaches you mechanisms and
techniques for getting an unbootable system running again.

Learn more at https://www.sysinternals.com/ntw2k/info/talk.shtml

*MARK AND DAVID SOLOMON TEACH WINDOWS OS INTERNALS AND TROUBLESHOOTING

Hear me and David Solomon present our Windows 2000/XP/2003 internals class:
London: June 23-25, 2004
San Jose, CA: September 27-October 1, 2004 ***5 day hands on!
Austin, TX: December 14-16, 2004

This is the same class we teach to Microsoft employees around the world. It
covers the internals of processes & threads, thread scheduling, memory
management, security, the registry, and I/O system. Delve into mechanisms
such as system threads, system call dispatching, interrupt handling, &
startup & shutdown. Learn advanced troubleshooting techniques using the
Sysinternals tools and how to perform crash dump analysis. By understanding
the inner workings of the OS, you can take advantage of the platform more
effectively and more effectively debug and troubleshoot problems.

NOTE: London and Austin classes are lecture only. San Jose class is hands-on
(bring your own laptop-configuration details are provided).

For details and registration, visit
https://www.sysinternals.com/troubleshoot.shtml

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Thank you for reading the Sysinternals Newsletter.