Closed randomascii closed 8 years ago
randomascii
commented
8 years ago I tested on Windows 7 and while Microsoft-Windows-Kernel-Memory works as a provider (the trace can be recorded) no memory data is recorded - at least nothing that WPA shows.
I'll test on Windows 8.1 as well and figure out what version checking to use. I'll also try KERNEL_MEM_KEYWORD_WS_SWAP to see if it is any use.
randomascii
commented
8 years ago I found a bit of documentation of these flags here:
https://github.com/MSOpenTech/Tx/blob/master/Manifests/SystemEvents.man
If you have any other information then please share.
MagicAndre1981
commented
8 years ago You can use Perfview on a Windows to dump the manifest and look which events are supported.
PerfView /nogui userCommand DumpRegisteredManifest Microsoft-Windows-Kernel-Memory
generates the manifest asMicrosoft-Windows-Kernel-Memory.manifest.xml
For me it shows that Win7 only supports KERNEL_MEM_KEYWORD_MEMINFO which doesn't log WorkingSets.
randomascii
commented
8 years ago Testing on Windows 8.1 shows that it captures KERNEL_MEM_KEYWORD_MEMINFO_EX data - the Virtual Memory Snapshots view is populated. I haven't tested Windows 8 and don't intend to. So... on Windows 8.1 and above we can rely on Microsoft-Windows-Kernel-Memory and can disable UIforETW's scanning of working sets, which neatly reduces the overhead of having UIforETW running.
randomascii
commented
8 years ago I'm tempted to put more information in the settings dialog to explain why the options are disabled in 8.1 and above, but for now I haven't bothered. Fixed. Thanks for the suggestion. It will be in the next release.
MagicAndre1981
commented
8 years ago You should also enable it for 6.2 (Win8(Embedded)/Server 2012), not only 8.1/2012R2.
The Microsoft-Windows-Kernel-Memory records working set data more efficiently and more richly than UIforETW's scanning: "when used with Keyword 0x40 KERNEL_MEM_KEYWORD_MEMINFO_EX, Windows captures every 0.5s: Count, ProcessID, WorkingSetPageCount, CommitPageCount, VirtualSizeInPages, PrivateWorkingSetPageCount."
"Windows 8 (Build 9200) also supports KERNEL_MEM_KEYWORD_WS_SWAP (0x80). Win7 only supports KERNEL_MEM_KEYWORD_MEMINFO (keyword 0x20)..."
This was first suggested here:
https://github.com/google/UIforETW/commit/16c21715a3034867b24d12f4db0cb978c39dc146#commitcomment-17227542
Previously when trying to use built-in ETW providers working-set information I found that WPA would not graph the data that was recorded but WPA graphs the Microsoft-Windows-Kernel-Memory data quite nicely. These flags should be used where supported, and if possible the existing scanning code should be turned off or removed.