[Newsletters Archive ^] [< Volume 5, Number 2] [Volume 6, Number 2 >]
The Systems Internals Newsletter Volume 6, Number 1
http://www.sysinternals.com
Copyright (C) 2004 Mark Russinovich
SPECIAL ANNOUNCEMENT ISSUE
The lack of a recent newsletter has probably got you thinking that the list is broken or that I've stopped writing them, but the reason is that David Solomon and I have been hard at work on the next edition of "Inside Windows 2000". It's entitled, "Windows Internals" and will cover Windows 2000, Windows XP, and Server 2003. We've made good progress and expect to have the manuscript complete in August for publication in October. In addition to reflecting changes to the OS, we've also expanded coverage in many areas, including security, crash dump analysis, startup and more. Look for resumption of regular newsletters once we've finished. That said, I've included a Process Explorer tip that I think you'll find useful.
USING PROCESS EXPLORER TO TRACK CPU USAGE
If you frequent Sysinternals, then you've seen Process Explorer gain major enhancements in the last six months. Several make understanding a system's CPU usage much easier than it is with Task Manager. In Task Manager, for example, even processes consuming no CPU have text in the CPU column ("00"), which makes it difficult to distinguish them from processes using CPU. Task Manager also rounds CPU usage to the nearest whole number, which can hide or misrepresent CPU usage. If a process is active every now and then, but consuming less than 1% of CPU, it may still show up as "00". Finally, Task Manager attributes any CPU time used by interrupt processing to the "System Idle Process", making it impossible for you to identify a buggy driver or hardware that's making your machine sluggish.
Process Explorer makes it easy to see which processes are using CPU at a glance because it only displays numbers for those with non-zero CPU usage and its option to view fractional CPU more accurately displays CPU usage. It also shows interrupt (hardware interrupt) and deferred procedure call (DPCs - software interrupt) activity as pseudo-processes.
However, even with fractional CPU there are almost always processes that are consuming your CPU, but not shown as doing so. The reason for that is due to the way that Windows does its time accounting. Periodically (every 10 ms on most systems) a clock interrupt fires. In response the Windows clock interrupt routine executes and assumes that whatever thread is currently running is the one that's used the CPU since the last clock interrupt. 10 ms is a long time on today's multigigahertz CPUs and many threads can execute between clock interrupts, but never be seen by the clock interrupt routine.
Another way to determine process execution, therefore, is to examine the number of context switches that the threads in a process have incurred. When a thread is selected to run (scheduled), its context switch count is incremented.. You can see the total number of context switches that have occurred in each process by adding the Context Switch column (click on View->Select Columns). But a more interesting number is the Context Switch Delta column. This displays the number of context switches that have occur in each process in between Process Explorer's refresh interval (which by default is 1 second).
So, for a very different view of process activity on your system, add the Context Switch Delta column and sort by it. You will see many processes with threads that are running that do not show up as consuming any CPU time, because the threads are running in between the 10ms clock interval. Some of these processes are performing needless polling (such as querying the registry or checking for changes in a folder). That is just plain sloppy programming. Others may be performing useful work, but are running "under the radar" of the system's time accounting mechanisms. It's your job to determine the wheat from the chaff.
Download Process Explorer at http://www.sysinternals.com/ntw2k/freeware/procexp.shtml.
MARK SPEAKING ON LINUX/WINDOWS KERNEL COMPARISON, PROCESS EXPLORER AND BOOT TROUBLESHOOTING AT TECHED
Come see me speak at either Microsoft TechEd US and Europe, where one of my sessions, "Windows and Linux: A Tale of Two Kernels", compares the current Linux kernel and Windows kernels. At TechEd US I'm also presenting "Advanced Windows Troubleshooting with Sysinternals Process Explorer", where I'll give you tips on getting the most from Process Explorer. At TechEd Europe my "Effective Windows Troubleshooting with the Sysinternals Tools" shows the use of Process Explorer, Regmon and Filemon to solve real-world problems, and "Troubleshooting Windows Boot and Startup" teaches you mechanisms and techniques for getting an unbootable system running again.
Learn more at http://www.sysinternals.com/ntw2k/info/talk.shtml
MARK AND DAVID SOLOMON TEACH WINDOWS OS INTERNALS AND TROUBLESHOOTING
Hear me and David Solomon present our Windows 2000/XP/2003 internals class:
London: June 23-25, 2004
San Jose, CA: September 27-October 1, 2004 ***5 day hands on!
Austin, TX: December 14-16, 2004
This is the same class we teach to Microsoft employees around the world. It covers the internals of processes & threads, thread scheduling, memory management, security, the registry, and I/O system. Delve into mechanisms such as system threads, system call dispatching, interrupt handling, & startup & shutdown. Learn advanced troubleshooting techniques using the Sysinternals tools and how to perform crash dump analysis. By understanding the inner workings of the OS, you can take advantage of the platform more effectively and more effectively debug and troubleshoot problems.
NOTE: London and Austin classes are lecture only. San Jose class is hands-on (bring your own laptop-configuration details are provided).
For details and registration, visit http://www.sysinternals.com/troubleshoot.shtml
Thank you for reading the Sysinternals Newsletter.
Published Tuesday, April 27, 2004 4:40 PM by ottoh
[Newsletters Archive ^] [< Volume 5, Number 2] [Volume 6, Number 2 >]