FileObjects in system Dump

Ashish_Goyal · December 12, 2011, 11:05am

Hi,
I have a scenario where kernel PageMemory is being depleted. On doing
!poolused on System dump indicates that MmSt tag is main consumer
indicationg high File IO. Also, “File” tag is also consuming more memory.
From the user mode, there is no handle leak. However, I doubt that our
mini-filter might be holding reference to FileObject opened by user mode
application.Our driver is mini-filter.

Is there a way we can list all FileObject in the dump.

Also, Poolused output shows difference of Alloc-Free as -ve. What does this
indicates?

Thanks
Ashish

Don_Burn · December 12, 2011, 11:16am

I don’t know of a way to list all objects, you can list all handles with
!handle which will get you a lot of the objects.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Ashish Goyal” wrote in message
news:xxxxx@ntfsd:

> Hi,
> I have a scenario where kernel PageMemory is being depleted. On doing
> !poolused on System dump indicates that MmSt tag is main consumer
> indicationg high File IO. Also, “File” tag is also consuming more memory.
> From the user mode, there is no handle leak. However, I doubt that our
> mini-filter might be holding reference to FileObject opened by user mode
> application.Our driver is mini-filter.
>
> Is there a way we can list all FileObject in the dump.
>
> Also, Poolused output shows difference of Alloc-Free as -ve. What does this
> indicates?
>
> Thanks
> Ashish

OSR_Community_User · December 12, 2011, 11:40am

I believe that there is a gflags setting that will cause the object manager to keep an internal list of all file objects. I can’t remember the command you use to then get a list of them, but as Don mentions you can use the !handles…

–Mark Cariddi
OSR Open Systems Resources, Inc.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, December 12, 2011 11:16 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] FileObjects in system Dump

I don’t know of a way to list all objects, you can list all handles with !handle which will get you a lot of the objects.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Ashish Goyal” wrote in message
news:xxxxx@ntfsd:

> Hi,
> I have a scenario where kernel PageMemory is being depleted. On doing
> !poolused on System dump indicates that MmSt tag is main consumer
> indicationg high File IO. Also, “File” tag is also consuming more memory.
> From the user mode, there is no handle leak. However, I doubt that our
> mini-filter might be holding reference to FileObject opened by user mode
> application.Our driver is mini-filter.
>
> Is there a way we can list all FileObject in the dump.
>
> Also, Poolused output shows difference of Alloc-Free as -ve. What does this
> indicates?
>
> Thanks
> Ashish

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Jonathan_Edwards · December 12, 2011, 11:43am

File objects are allocated with the tag ‘File’ so,

!poolfind File

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Ashish Goyal [xxxxx@gmail.com]
Sent: Monday, December 12, 2011 08:04
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FileObjects in system Dump

Hi,
I have a scenario where kernel PageMemory is being depleted. On doing !poolused on System dump indicates that MmSt tag is main consumer indicationg high File IO. Also, “File” tag is also consuming more memory. From the user mode, there is no handle leak. However, I doubt that our mini-filter might be holding reference to FileObject opened by user mode application.Our driver is mini-filter.

Is there a way we can list all FileObject in the dump.

Also, Poolused output shows difference of Alloc-Free as -ve. What does this indicates?

Thanks
Ashish
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

rod_widdowson · December 12, 2011, 1:07pm

!object 0 file

usually does it for me. First time around it will not work because (as Mark
notes) a gflag has to be set. But the error tells you which one to set and
from there you just have to work out how to set it and reboot…

Pavel_Lebedinsky · December 12, 2011, 8:04pm

If you’re only interested in files that contribute to MmSt usage you can dump control area objects instead:

lkd> !ca 0 8

Scanning large pool allocation table for Tag: MmCa (fffffa800c600000 : fffffa800c900000)

fffffa8009d2b9c0 0000000000000000 0 File: \Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-FontFace.dat
fffffa8009d2bdd0 0000000000000000 0 File: \Windows\setupact.log
fffffa800714df20 0000000000000000 0 File: \Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
…

You can use different flags for more details, or to filter by section type (file/pagefile/image).

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Cariddi
Sent: Monday, December 12, 2011 8:41 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] FileObjects in system Dump

I believe that there is a gflags setting that will cause the object manager to keep an internal list of all file objects. I can’t remember the command you use to then get a list of them, but as Don mentions you can use the !handles…

–Mark Cariddi
OSR Open Systems Resources, Inc.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, December 12, 2011 11:16 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] FileObjects in system Dump

I don’t know of a way to list all objects, you can list all handles with !handle which will get you a lot of the objects.

Hi,
I have a scenario where kernel PageMemory is being depleted. On doing
!poolused on System dump indicates that MmSt tag is main consumer
indicationg high File IO. Also, “File” tag is also consuming more memory.
From the user mode, there is no handle leak. However, I doubt that our
mini-filter might be holding reference to FileObject opened by user
mode application.Our driver is mini-filter.

Is there a way we can list all FileObject in the dump.

Pavel_Lebedinsky · December 12, 2011, 8:14pm

MmSt allocations and file objects can be kept alive by user references (including outstanding mapped views), or simply by file pages cached on the standby list. You can try purging the standby list using rammap.exe and see if that makes pool usage go down. If it does then you don’t have a leak, the pool usage is just a side effect of caching a lot of files.

I have a scenario where kernel PageMemory is being depleted. On doing
!poolused on System dump indicates that MmSt tag is main consumer
indicationg high File IO. Also, “File” tag is also consuming more memory.
From the user mode, there is no handle leak. However, I doubt that our
mini-filter might be holding reference to FileObject opened by user mode
application.Our driver is mini-filter.

Ashish_Goyal · December 13, 2011, 9:21am

!ca worked…It gave the list of files…
Thanks
Ashish

On Tue, Dec 13, 2011 at 6:33 AM, Pavel Lebedynskiy wrote:

> If you’re only interested in files that contribute to MmSt usage you can
> dump control area objects instead:
>
> lkd> !ca 0 8
>
> Scanning large pool allocation table for Tag: MmCa (fffffa800c600000 :
> fffffa800c900000)
>
> fffffa8009d2b9c0 0000000000000000 0 File:
> \Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-FontFace.dat
> fffffa8009d2bdd0 0000000000000000 0 File: \Windows\setupact.log
> fffffa800714df20 0000000000000000 0 File:
> \Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
> …
>
> You can use different flags for more details, or to filter by section type
> (file/pagefile/image).
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of Mark Cariddi
> Sent: Monday, December 12, 2011 8:41 AM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] FileObjects in system Dump
>
> I believe that there is a gflags setting that will cause the object
> manager to keep an internal list of all file objects. I can’t remember
> the command you use to then get a list of them, but as Don mentions you can
> use the !handles…
>
> --Mark Cariddi
> OSR Open Systems Resources, Inc.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: Monday, December 12, 2011 11:16 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] FileObjects in system Dump
>
> I don’t know of a way to list all objects, you can list all handles with
> !handle which will get you a lot of the objects.
>
> > Hi,
> > I have a scenario where kernel PageMemory is being depleted. On doing
> > !poolused on System dump indicates that MmSt tag is main consumer
> > indicationg high File IO. Also, “File” tag is also consuming more memory.
> > From the user mode, there is no handle leak. However, I doubt that our
> > mini-filter might be holding reference to FileObject opened by user
> > mode application.Our driver is mini-filter.
> >
> > Is there a way we can list all FileObject in the dump.
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>