
This shows you the differences between two versions of the page.

Link to this comparison view

ep:labs:08 [2021/10/04 13:28]
cezar.craciunoiu [Introduction]
ep:labs:08 [2023/10/30 00:50] (current)
ana.grigorescu0809 [03. Process Monitor]
Line 1: Line 1:
 ====== Lab 08 - I/O Monitoring (Windows) ====== ====== Lab 08 - I/O Monitoring (Windows) ======
 +===== Objectives =====
 +  * Offer an introduction to Windows I/O monitoring.
 +  * Get you acquainted with a few Windows standard monitoring tools like **Task Manager**, **Windows Performance Recorder**, **Process Monitor**, and **Process Explorer**.
 +  * Learn how to monitor disk activity, identify what is generating it, and figure out what the issue is by looking at the pdbs and the code.
 +  * Take a deeper look into how monitoring tools extract data from processes.
 <note important>​ <note important>​
 You can download the **Windows 10 VM** via [[https://​ctipub-my.sharepoint.com/:​u:/​g/​personal/​radu_mantu_upb_ro/​EXSrHQMCkWBEpGYseFEmnnABCA1hyb1oGWMUhnnHx8LIdQ?​e=I0pxHg | OneDrive]]. You can download the **Windows 10 VM** via [[https://​ctipub-my.sharepoint.com/:​u:/​g/​personal/​radu_mantu_upb_ro/​EXSrHQMCkWBEpGYseFEmnnABCA1hyb1oGWMUhnnHx8LIdQ?​e=I0pxHg | OneDrive]].
 +If you need to use VirtualBox, you can use this //.ovf// version to import the VM (just on OneDrive)
 +[[https://​ctipub-my.sharepoint.com/:​u:/​g/​personal/​cezar_craciunoiu_upb_ro/​EZYR_YFyHx5GiHf5yBNuiyYB-zXhIaTNzJ8o8Ri2M8l5Mw?​e=9qxrde | OneDrive]].
 There is also the option to download as a torrent {{:​ep:​labs:​ep_win10_vm.7z.torrent.txt}}. There is also the option to download as a torrent {{:​ep:​labs:​ep_win10_vm.7z.torrent.txt}}.
Line 16: Line 27:
 </​note>​ </​note>​
 +<note important>​
 + If Visual Studio prompts you with an "​Expired"​ message, you will have to log in with your (university) account.
-===== Objectives ===== 
-  * Offer an introduction to Windows I/O monitoring. +===== Contents ===== 
-  * Get you acquainted with a few Windows standard monitoring tools like **Task Manager**, **Windows Performance Recorder**, **Process Monitor**, and **Process Explorer**. +{{page>:​ep:​labs:​08:​meta:​nav&​nofooter&​noeditbutton}}
-  * Learn how to monitor disk activity, identify what is generating it, and figure out what the issue is by looking at the pdbs and the code. +
-  * Take a deeper look into how monitoring tools extract data from processes and the system.+
Line 28: Line 39:
 As you remember from the Linux Monitoring labs there is an endless list of tools for system analysis. As you remember from the Linux Monitoring labs there is an endless list of tools for system analysis.
 This is unfortunately not true for Windows. This is unfortunately not true for Windows.
 The system is closed-source and the development of tools is much slower. The system is closed-source and the development of tools is much slower.
Line 36: Line 48:
-===== Tutorials & Tasks =====+==== 01. Task Manager ​====
-===== Task Manager ​=====+ Shows real time information about processes and the system. 
 + To start Task Manager you can use any of the following methods: 
 +  * //**Ctrl + Shift + Esc**// 
 +  * Right click the taskbar and choose Task Manager 
 +  * //**Ctrl + Alt + Del**// and select ​Task Manager
-Shows the process ​name responsible for constant disk thrashing either by reads or writes+ ​**Tabs description:​** 
 +   * **Processes** - shows all the running processes and their current resource usage in terms. 
 +   * **Performance** - shows the usage level of the computer'​s main resources in the last minute. 
 +   * **App history** - added with Windows 8, it shows the resource consumption of metro applications. 
 +   * **Startup** - shows all the applications that start at start-up and their impact on the boot time. 
 +   * **Users** - shows the resource consumption of every logged in user. 
 +   * **Details** - shows detailed information about each process. Right-clicking the column headers bar, offers the possibility to add or remove columns. The following columns: Handles, Threads, Image Path Name, and Command Line are useful for especially useful for this laboratory. 
 +   * **Services** - shows the service status for all services. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes.
-To start Task manager use the shortcut//**Ctrl + Shift + Esc**//.+ ​**Conclusions:** 
 +   Task Manager can be used to identify which process uses a lot of RAM, CPU, accesses the disk many times or generates a lot of traffic on the network at a certain moment. 
 +   It does offer some information for longer periods of time, in the Startup tab, which shows what process had higher impact at startup, but does not specify the area that was impacted. 
 +   * You can sort by I/O read or I/O Writes, but no there is no option to sort the results by Total I/O (combined Read & Write).
-**Tabs description:​** + <​note>​ 
-  * **Processes tab** shows all the running processes and their current resource usage in terms of CPU, Memory, Disk and Network. + To overcome Task Manager’limitations, and to perform ​thorough analysisuse the Resource Monitor ​(Resmonutility, which is built into Windows
-  * **Performance tab** shows the usage level of the computer'​main resources in the last 60 seconds. + </​note>​
-  * The **App history tab** was first added to Windows 8, and it shows the resource consumption of metro applications. Metro applications are touch-screen-friendly applications written especially for Microsoft'​s WinRT programming interfaces. +
-  * The **Start-up tab** shows all the applications that start at start-up, (or at least in Microsoft'​s vision - this will be further detailed in the Autoruns section), and their impact on the boot time. It is helpful ​to check this tab in case your computer takes long to to start up. +
-  * **Users tab** shows the resource consumption of every logged in user.  +
-  * **Details tab** shows details for each process - pid, status, the user under which it runs. Right-clicking the column headers bar, offers the possibility to add or remove columns. The following columns: Handles, Threads, Image Path Name and Command Line are very useful: the first one (Handleswhen investigating a handle leakthe second one (Threads) in the case of investigating processes that create too many threads, the third one (Image Path Name) to find out the path from where the process was started, and the last one (Command Line) to find out the parameters with which it was started.  +
-  * **Services tab** shows the service status. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes.+
-**Conclusion:​**+==== 02. Windows Performance Recorder & Analyzer ==== 
 + ​Windows Performance Recorder (WPR) is used to record the whole activity of the system in a time frame. 
 + ​Compared to Task Manager, this tool only captures information,​ without displaying it.
-  * Task Manager can be used to identify which process uses a lot of RAMCPU, accesses the disk many times or generates a lot of traffic on the network at a certain moment ​(Services tab). However, it does not offer information if in the long run, that same process ​is the one that generated the slowdown of the system. It does offer some information for longer periods of time, in the Start-up tab, which shows what process had higher impact at start-up, but does not specify the area that was impacted (disk space, RAM, CPU). + To inspect the captured data you will need to use another toolWindows Performance Analyzer ​(WPA). 
-  * You can sort by I/O read or I/O Writes, but no option to sort the results by Total I/O (combined Read & Write).+ This combination of tools is most useful when running tests that take hours and constantly watching Task Manager would be impossible.
-<​note>​ +==== 03. Process Monitor ==== 
-To overcome Task manager’s limitation, ​and to perform ​thorough analysis, use the excellent Resource Monitor (Resmon) utility, which is built-in ​to Windows. + Process Monitor is another troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. 
-</​note>​+ The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it.
-Here [[https://​drive.google.com/​file/​d/​1z1J6lgoYfBOZF7acEzR8gEq1MH1OZgaf/​view]] you have a visual representation of the previous mentioned steps.+**How to Use Process Monitor to Track Registry and File System Changes?**
-== 01[20p] Task Manager ==+ We want to write to the HOSTS file (C:​\Windows\System32\drivers\etc\hosts) in order to add new rules. 
 + When we try to do this we encounter an error when saving the file.
-  - Watch the video and go through ​the tutorial + ​Following the steps below (or the video) we can record what causes ​the error. 
-  - Which program is constantly reading or writing ​to your hard disk?+ Afterwards, we can send it to an expert or search for a fix ourselves.
-:!: :!: NON-DEMO TASK + <​html>​ 
 +  <​center>​ 
 +   <​iframe width="​560"​ height="​315"​ src="​https://​www.youtube-nocookie.com/​embed/​-3JiM-PPigA"​ title="​YouTube video player"​ frameborder="​0"​ allow="​accelerometer;​ autoplay; clipboard-write;​ encrypted-media;​ gyroscope; picture-in-picture"​ allowfullscreen></​iframe>​ 
 +  </​center>​ 
 +  <​center>​ 
 +   <​b>​The video covers all 3 parts.</​b>​ 
 +  </​center>​ 
 + </​html>​
-**How to:**+^ Part 1: Running Process Monitor & Configuring Filters ^^ 
 +**1.** Run the Process Monitor application. || 
 +| **2.** Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters. || 
 +| **3.** Click Add, and click OK. || 
 +| **4.** From the Options menu, click Select Columns. || 
 +| **5.** Under “Event Details”, enable Sequence Number, and click OK. ||
-  * Open Task Managerand select the Details tab+<​note>​ 
-  * Right-click on the column header (NamePID, Status etc) and click Select Columns. + You can add multiple entries as wellin case you want to track more processes along with Notepad.exe
-  * Enable the following checkboxes and click OK.+ To keep this example simplerlet’s only track Notepad.exe.
-<note tip> + ​You’ll now see the Process Monitor main window tracking the list of registry and file accesses ​by processes real-timeas and when they occur.
-I/O read bytes is the number ​of bytes read in input/​output operations generated by a process, including ​file, network, and device I/Os. +
-Whereas I/O write bytes is the number of bytes written in input/​output operations ​by a process, including file, network, and device I/Os. +
-I/O Read Bytes & I/O Write Bytes directed to CONSOLE (console input object) handles are not counted.+
 </​note>​ </​note>​
-  ​Next, sort the listings by I/O Read bytes and see which application is generating ​the maximum I/O (in bytes/sec). Similarly, sort by I/O Write bytes to see which program ​is writing ​to the hard disk continuously+^ Part 2: Capturing Events ^^ 
-  Once you identify ​the programdecide if you need the program or notLeave it as it is if the I/O operations are justifiedElseremove ​the program or consult its documentation ​to tweak the settings if anyFor instanceone of your browser extensions may cause high disk or CPU usage. You need to isolate the extension, add-on or the browser’s feature causing the trouble.+**6.** Open Notepad. || 
 +| **7.** Switch to Process Monitor window. || 
 +| **8.** Enable ​the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar. || 
 +| **9.** The highlighted button above is the “Capture” button, ​which is currently disabled. You need to click that button to enable capturing of events. || 
 +| **10.** **Important**:​ Cleanup ​the existing events list using Ctrl + X key sequence and start afresh|| 
 +**11.** Switch back to Notepad. || 
 +| **12.** To reproduce ​the problemtry writing to the HOSTS file and saving itWindows offers to save the file with a different name, or in a different locationSowhat happens under the hood when you save to HOSTS file? Process Monitor shows that exactly|| 
 +| **13.** Switch to Process Monitor windowand turn off Capturing (Ctrl + E) as soon as you encounter the problem**Important Note**: ​You need to do all that as quickly as you can in order to not record unneeded data||
-===== Windows Performance Recorder =====+<note warning>​ 
 + The log file above tells us that Notepad encountered an ACCESS DENIED error when writing to the HOSTS file.
-<note warning>​ + The solution would be to simply run Notepad elevated (right-click ​and choose “Run as Administrator”) to be able to write to HOSTS file successfully.
-Datafile: Logs.exe ​and GoodLog.exe+
 </​note>​ </​note>​
-Installing Windows ADK will install Windows Performance Recorder. Check by clicking the windows button and typing “windows performance recorder”. +^ Part 3Saving ​the Output ^^ 
- +| **14.** In the Process Monitor window, select ​the File menu and click Save. || 
-Start **Windows Performance Recorder** by pressing Enter. You will see the following: +| **15.** Select Native Process Monitor Format (PML), mention ​the output file name and Path, save the file. || 
- +| **16.** Right-click ​on the Logfile.PML fileclick Send To, and choose Compressed (zipped) folderYou can now send it to an expert. ||
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_wpr-record.jpg?​400|}} ​  +
-</​spoiler> ​   +
-     +
-Click the **More options** button to get the list shown in the screenshot right below. +
-  +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_wpr-select.jpg?​400|}}   +
-</​spoiler> ​    +
- +
-Make sure that you select the same check boxes as in the screenshot, but do not click start just yet. Create a new directory and copy the **Logs.exe** and **GoodLog.exe** files into this directory. The behaviour of these two executables is similar to logging applications that write logs to the disk. Open a terminal and change ​the path to the directory where you copied the files.  +
-  +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_badlogs.jpg?​400|}} ​  +
-</​spoiler> ​  +
- +
-Start **Windows Performance Recorder** ​and right after run GoodLog.exe and then Logs.exe. Once the two applications finish running, ​click the Save button in Windows Performance Recorder+
- +
-<​spoiler>​ +
- ​{{:​ep:​laboratoare:​ep4_goodlogs.jpg?​400|}}  +
-</​spoiler> ​      +
- +
- +
-After the capture is saved, the Open option will become available in **Windows Performance Analyzer**. When clicking ​the Open button it should open a window such as the one below.  +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_wpa-cpu1.jpg?​400|}} ​  +
-</​spoiler>​ +
-      +
-Double clicking on Storage should display the following window. Analyse the resources. +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_wpa-cpu2.jpg?​400|}} ​  +
-</​spoiler> ​       +
- +
-In the upper-left corner of the newly opened window it can select Disk Usage, Utilization by Disk. Click on Utilization by Disk and select: Utilization by Process, ​Path Nameand Stack. This will generate ​the following output +
- +
-<​spoiler>​ +
- ​{{:​ep:​laboratoare:​ep4_wpa-cpu3.jpg?​400|}}  ​ +
-</​spoiler> ​     +
- +
-The graph looks interesting in Task Manager. Processes can be selected for observing their activity on the disk. It can be noticed that our processes are not shown. Run Logs.exe again while keeping Task Manager on.  +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_logstaskmanagerdisk.jpg?​400|}}   +
-</​spoiler> ​    +
- +
- +
-**Conclusions:​** +
- +
-  * This shows that there is activity ​on the diskThe question is why doesn'​t Windows Performance Analyzer show it. The way Windows Performance Recorder records activity is based on events generated by the Windows kernel. It registers to track the eventslistens to them, and during the recording period it constantly samples which process uses which resource at the time of sampling. +
-  * It sums up the number of time that a process was caught doing something. In our case, the two processes want to write to the disk, but they are not the ones that get to do the actual writing. They tell the system that they want to write, and the System process schedules the writing. The reason for this is targeting a more efficient disk writing, as the System process is trying to minimise the impact to the disk. This is why our process'​s writing is passed over to the System process. +
- +
-Here [[https://​drive.google.com/​file/​d/​1DTEnxhv9Tb5TORz1RFT7-v2ojLPW5l7A/​view]] you have a visual representation as well. +
- +
- +
-== 02. [20p] WPR and WPA  == +
- +
-  - Watch the video and go through the tutorial +
- +
- +
-===== Process Monitor ===== +
- +
-//Process Monitor is an excellent troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. The results can be saved to a log file, which you can send it to an expert ​for analyzing a problem and troubleshooting it.// +
- +
-**How to Use Process Monitor to Track Registry and File System Changes?​** +
- +
-^ Step 1: Running Process Monitor & Configuring Filters ^^ +
-| **1.** Download Process Monitor from Windows Sysinternals site. || +
-| **2.** Extract the zip file contents to a folder of your choice. || +
-| **3.** Run the Process Monitor application. || +
-| **4.** Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters. || +
-| **5.** Click Add, and click OK. || +
-| **6.** From the Options menu, click Select Columns. || +
-| **7.** Under “Event Details”, enable Sequence Number, and click OK. ||+
 <​note>​ <​note>​
-You can add multiple entries as wellin case if you want to track few more processes ​along with Notepad.exe. To keep this example simpler, let’s only track Notepad.exe. (You’ll now see the Process Monitor main window tracking ​the list of registry and file accesses by processes real-time, as and whey they occur.+ To recapTask Manager shows what processes ​use the disk intensively at the current ​time.
-^ Step 2: Capturing Events ^^ + Windows ​Performance Recorder / Windows ​Performance Analyzer show who used the disk during ​longer time periodalthough they were showing ​the activity ​as belonging ​to the System process instead of our process.
-| **8.** Open Notepad. || +
-| **9.** Switch to Process Monitor window. || +
-| **10.** Enable the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar. || +
-| **11.** The highlighted button above is the “Capture” button, which is current disabled. You need to click that button (or use Ctrl + E key sequence) to enable capturing of events. || +
-| **12.** Cleanup the existing events list using Ctrl + X key sequence (Important) and start afresh. || +
-| **13.** Now switch to Notepad and try to reproduce the problem. || +
-| **14.** To reproduce the problem (for this example), try writing to HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) and saving it. Windows ​offers to save the file (by showing the Save As dialog) with different nameor in a different location. So, what happens under the hood when you save to HOSTS file? Process Monitor shows that exactly. || +
-| **15.** Switch to Process Monitor window, and turn off Capturing (Ctrl + E) as soon as you reproduce the problem. Important Note: Don’t take much time to reproduce ​the problem after enabling capturing. Similarly turn off capturing as soon as you finish reproducing the problem. This is to prevent Process Monitor from recording other unneeded data (which makes analysis part more difficult). You need to do all that as quickly as you can||+
-<note warning>​ + Using Process Monitor we could identify our processes'​ entire activity ​and determine why one is slower than the other.
-The log file above tells us that Notepad encountered an ACCESS DENIED error when writing to the HOSTS file. The solution would be to simply run Notepad elevated (right-click ​and choose “Run as Administrator”) to be able to write to HOSTS file successfully.+
 </​note>​ </​note>​
-^ Step 3: Saving the Output ^^ +==== 04. Process ​Explorer ==== 
-| **16.** In the Process ​Monitor window, select the File menu and click Save. || + ​Process ​Explorer is similar to Task Manager in many waysas both serve the same purpose
-| **17.** Select Native ​Process ​Monitor Format (PML)mention ​the output file name and Path, save the file|| + Process Explorer is more verbose ​and shows much more information about different parts of the system.
-| **18.** Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. This compresses ​the file by ~90%. Look at the graphic below. You certainly want to zip the log file before sending it to someone||+
-You can take also take a look at this video here: https://​drive.google.com/​file/​d/​1ZYdtOq7QsY0nfYDS3e4foPFRVPgO4Qdb/​view.+ Even if it doesn'​t ​look as pretty as Task Manager, ​this tool was developed for Windows 2000 initially. 
 + The Task Manager of Windows 2000 offered much fewer options than the one for Windows 10. 
 + Now, Task Manager and Process Explorer are interchangeable in most cases.
 +==== 05. Windows API ====
 + The previous chapters cover most cases where we encounter an error, we diagnose it, and identify it.
-== 03[30p] Process Monitor ==+ There is always the very rare case where a tool just doesn'​t cut it. 
 + In this case we can use the API offered by Windows to extract what information we want from a program and/or the system.
-<note warning>​ + More precisely, we are interested in the [[https://docs.microsoft.com/​en-us/​windows/​win32/​psapi/​process-status-helper ​| Process ​Status API]] from Windows
-Download ​the archive {{:ep:​laboratoare:​logs-final.7z|}} and check if you have “Process ​Monitor” installed (Windows ​10).+ This offers basic functionality to extract information from the system and its processes.
-//​logs-final.7z//: **parola**+ We will only briefly go over the functions in the Task, so feel free to try more of the functionality of the API.
-//​HandleLeak.7z//:​ **parola7**+===== Tasks =====
-//Task.7z//: **parola17**+<note warning>​ 
 + The tasks can be found for the Windows sessions can be found here: 
 +  ​New Tasks: {{:​ep:​laboratoare:​lab08-tasks.zip|}}
 </​note>​ </​note>​
-== [10p] Task A - Checking logging file == +{{namespace>:ep:labs:08:contents:tasks&​nofooter&​noeditbutton}}
- +
-  * Looking at the logs created by the two apps in Process Monitor - bad.log, good.log - they are identical, but Logs.exe has a significantly longer running time compared to GoodLog.exe. Start Process Monitor.  +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_procmon.jpg?​400|}} +
-</​spoiler> +
- +
-  * If the 4 buttons in the black area on the upper part of the window are selected, Process Monitor will display the activity (in this order) for: registry, files, networking, process and thread activity. By unchecking them, the corresponding events will be no longer displayed. In the menu bar there is the Filter field. If selected, it will trigger a dropdown menu that contains another Filterfield. If this second Filter field is selected, it will open the window shown below. Replicate this on your computer.  +
- +
-<​spoiler>​ +
-{{:ep:laboratoare:ep4_procmon-filters.jpg?​400|}} +
-</​spoiler>​ +
- +
-  * From the two dropdown menus in the upper part of the context window, select ”Process Name” instead of ”Architecture” and ”is” instead of ”contains”. In the text filed add Logs.exe, click the Add button and then the OKbutton. Open the terminal and run Logs.exe. After the program is done running, save the Process Monitor capture. Use Ctrl + X to reset all the events captured in Process Monitor. Go to Filter → Filter area, double-click on the filter that was just added and change Logs.exe with GoodLog.exe,​ then click Add and Ok. Start GoodLog.exe and save the capture once the program finishes running. Scroll down in the two capture-logs until you notice the activity for bad.log respectively good.log. +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_procmonlogscomparison.jpg?​400|}} +
-</​spoiler>​ +
- +
-<note important>​ +
-  * Notice the difference. On the left-hand side it is shown the faster logging process, and on the right-hand side the slower one. Look in the red highlighted area to see the difference. On the left-hand side the logging file is opened, followed by continuous writing, while on the right-hand side the file is opened and closed for every writing operation which explains the significant slowdown.  +
-</​note>​ +
- +
-  * To recap, Task Manager shows what processes use the disk intensively at the current time, Windows Performance Recorder / Windows Performance Analyzer show who used the disc during a longer time period, although they were showing the activity as belonging to the System process instead of our process. Using Process Monitor we could identify our processes'​ entire activity and we could determine why one is slower than the other. But what if we could find out which line in the code causes the problem? Go back to Process Monitor. Use the window of the badly written logging program (Logs.exe). Go to Options → Configure Symbols, which will open the window shown below.  +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_procmon-symbols.jpg?​400|}} +
-</​spoiler>​ +
- +
-  * In the log (D:​\Logs\bad.log) go to CreateFile. Double-click to open the Event Properties window. Choose the Stacktab, scroll down and you can notice that in the main function of main_bad_log.cpp,​ at line 12 the opening takes place. Click the ”Source” button to view the source code containing the issue.  +
- +
-<​spoiler>​ +
-{{:​ep:​laboratoare:​ep4_prcomoncode.jpg?​400|}}  +
-</​spoiler>​ +
- +
- +
-== [20p] Task B - Investigating a handle leak == +
- +
-:!: :!: NON-DEMO TASK  +
- +
-In {{:​ep:​laboratoare:​logs-final.7z|}} you have another example of two executables:​ **good.exe** and **bad.exe**. Both have the same outcome, the only difference being their running time (one of them is significantly slower). **Identify the problem**. +
- +
-**How to:** +
- +
-  * A handle leak consists of a process that opens files and does not close them. On modern computers if this action is performed millions of times, the system may become unresponsive and will either experience an overall slowdown or the application that causes this will eventually crash. You may think that millions of handles are impossible to reach, so it is not worth paying attention to this problem. However, imagine that there are services running on servers for years. As an example, having a handle leak every 2 seconds amounts for over 10 million handle leaks in a year. How should such problems be investigated?​ +
-  * **Hint:** Open up a terminal and run HandleLeak.exe. Check out the ”Details” tab in Task Manager after adding the ”Handles” column. +
- +
- +
-== 04. [30p] Process Explorer == +
- +
-:!: :!: NON-DEMO TASK  +
- +
-  * It can be noticed that the number of handles keeps growing. This is clearly a problem, but how do we investigate it? +
- +
-**How to:** +
- +
-  * Run it as administrator. It is similar to Task Manager. Select the process that you are interested in, namely HandleLeak, and press “Ctrl + H”. +
-  * “Ctrl + H” opens a window under the ”Process” section that displays all open handles along with information about them. Thus it will display file handles, registry handles, threads handles, and so on. There is another view (Ctrl + D) that displays all the loaded dlls. +
-  * So it can be noticed that the leaks are on the following file: D:​\Logs\HandleLeak\leak.txt. This is very useful information,​ but it would be better to find out who is responsible for the leak in code. Run Process Monitor with a filter on HandleLeak.exe and to notice the stack where the leakage is happens. +
- +
- +
-== 05. [10p] Feedback == +
- +
-:!: :!: NON-DEMO TASK  +
- +
-  * Please take a minute to fill in the **[[https://​forms.gle/​KHMVUhNfCPoR71Ew7 | feedback form]]** for this lab. +
- +
-{{ :ep:laboratoare:ep4_logo_bitd2.png?​300 |}} +
ep/labs/08.1633343306.txt.gz · Last modified: 2021/10/04 13:28 by cezar.craciunoiu
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0