This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread. I have the same question 3. Report abuse. Details required :. Cancel Submit. Thahaseena M. Click the Start menu button and click Control Panel 2. It is simpler and a lot more informative if one can refer to a process by name during analysis, rather than by ID, as IDs can be recycled once a process or thread terminates and all references to it are released. When events from other core components indicate OS activities during the state machine construction and simulation, the threads and processes that initiated them are located in the state machine, and their objects are updated to attribute those activities, using primarily the process and thread IDs in the event headers.
At the end, process and thread objects are aggregated and summarized into a report with various metrics. Image events correspond to image also known as module files getting loaded and unloaded into process address space. These events do not directly correlate to LoadLibrary calls, however. If a DLL is already loaded in the process, subsequent LoadLibrary calls for the same DLL simply increment the count of module references but will not map the module again. Image events allow for the tracking of loaded modules and the mapping of addresses within a process.
The Image event payload contains information such as the module address base and size, and the name of the binary file loaded or unloaded. Image events are also required for decoding call-stacks. In a typical state machine construction, Image events trigger the updating of a list of loaded modules into an aforementioned process object. Process Counter events, when enabled, are logged at process termination and record in its payload a few properties regarding the process execution statistics over the lifetime of the process.
They consist of peak memory size, peak working set size, peak paged and nonpaged pool usage, and peak page file usage. These events indicate how a process behaved with respect to memory usage. Like Process events, separate rundown Process Counter events are logged for all active processes at the end of event collection. Context Switch events are logged every time thread switches occur on a CPU and can be used to construct a very accurate history as to which threads have been running and for how long.
They occur very frequently and produce a large amount of data. In each switch, two threads are involved. The old thread will give up its share of execution time and hand the execution to the new thread. Thus, Context Switch events contains old and new thread IDs, old and new thread priorities, wait reason and wait time.
Context switches can happen for various reasons, including blocking on kernel synchronization objects events, timers, semaphores and so on. A certain amount of context switches are always expected. However, excessive context switching can be an indication of inefficient use of synchronization primitives and can lead to poor scaling in performance.
Enabling call-stacks on Context Switch events allows in-depth analysis on reasons for threads getting switched out. DPC is a kernel-mode function executed at elevated interrupt-level execution mode, and it preempts regular thread execution. DPC and ISR mechanisms are important elements in a Windows driver, as they are typically used for handling hardware interrupts.
Drivers and kernel-mode components have a right to use DPC and ISR, but it is strongly recommended that they spend as little time as possible in these elevated modes. DPC and ISR events are used to monitor and verify the behavior of various drivers and kernel-mode components.
By comparing the routine addresses against the range information in Image events, one can locate the kernel component responsible for those DPC and ISR events.
By setting aside storage for each processor that records its current active thread based on Context Switch, DPC and ISR events, one can monitor -- given any timestamp -- what each CPU was doing at that time and whose code it was executing. In the state machine simulation method, when a context switch takes place, a CPU object is updated with the new thread ID, and so is the object for the old thread with CPU usage up to the switch.
In certain cases, such as with IO, Memory or System Call events, ETW does not record the process or thread IDs in the event header, primarily to reduce the overhead of very frequent events.
Memory events denote memory manager MM operations. Memory events tend to be very frequent, especially on a busy system. A page fault occurs when a sought-out page table entry is invalid.
If the requested page needs to be brought in from disk, it is called a hard page fault a very expensive operation , and all other types are considered soft page faults a less expensive operation.
A Page Fault event payload contains the virtual memory address for which a page fault happened and the instruction pointer that caused it. A hard page fault requires disk access to occur, which could be the first access to contents in a file or accesses to memory blocks that were paged out. Enabling Page Fault events causes a hard page fault to be logged as a page fault with a type Hard Page Fault.
However, a hard fault typically has a considerably larger impact on performance, so a separate event is available just for a hard fault that can be enabled independently. Virtual Memory events were newly added for Windows 7 and are useful for tracking down leaked calls to the VirtualAlloc function and excessive virtual memory usage by applications. Memory event headers do not contain the IDs of the threads and processes that caused the particular activities.
The Page Fault event payload, however, has the thread ID of the thread causing the fault. This allows the correlation of Page Fault events to threads and processes through the state machine. The Virtual Memory event payload contains the ID of the process for which virtual memory operations were performed. To track it to the thread making the API call, you need the context switch accounting, described in the previous section.
Windows 7 features hundreds of event providers from various components. In the first part of this two-part article series, we have presented some of the core OS ETW events available on Windows 7 and the analysis techniques that we have used for many years.
Individual events indicate certain activities in the core OS, but if combined through context-sensitive analysis methods, they can be used to produce meaningful reports that provide insights into patterns and anomalies in resource usage. In Part 2, we plan to cover other core OS ETW events as well as present simple scripts to demonstrate a few basic accounting techniques on some of the OS events introduced in these two parts. We hope that many people will take advantage of the content presented here and that it will lead to the promotion of sound engineering practice, greater software quality and better user experiences.
He has published a dozen papers on performance analysis, request tracking, instrumentation technology, and programming methodology and support. His e-mail address is insungp microsoft. He can be reached at alexbe microsoft. Skip to main content. Hard to see why the system would expose such functionality. Add a comment. Active Oldest Votes. The answer somewhat depends on what you want to accomplish and what restrictions you have.
Good luck. Improve this answer. ETW can be very frustrating to set up and use and I'm not at all sure if it lets you get the thread context registers , I actually doubt it. AlexeyFrunze hence my recommendation to google and read about it.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Helping communities build their own LTE networks. Podcast Making Agile work for data science. Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually.
Related
0コメント