Page Faults

Just wondering why LnS(205p3) generates so many page faults when viewed in TaskManager.

I have been running for aprox 4 days and it shows over 2million pagefaults and when I ran pfmon it showed mostly Soft faults. here is a small snippt..

SOFT: RtlAllocateHeap+0x232 : 00d50000
SOFT: RtlAllocateHeap+0x232 : 00d50000
SOFT: RtlTimeToTimeFields+0x400 : 00d6000c
SOFT: PrivateExtractIconsW+0x4ea : 00d50000
SOFT: PrivateExtractIconsW+0x328 : 00d6000c
SOFT: PrivateExtractIconsW+0x4ea : 00d50000
SOFT: PrivateExtractIconsW+0x328 : 00d6000c

No idea if this is normal, just stands out with such a large number !

I have 1gig ram with 2gig pagefile running on a Prescott 3.2ghz CPU

 

If a process requests a page in a memory and the system cannot find it at the requested location, this constitutes a page fault (If the page is elsewhere in memory the fault is called a soft page fault). Soft Page faults are a common and necessary occurrence and large number of them can be done without significant consequence (in performance terms).

 

I understand what hard/soft page faults are tho from what i've read there should not be so many for a single program,
you feel that over 2million faults are normal ? even 'explorer.exe' which is a known fault creator due to it starting/finding all programs does not create anything even close..

If 2million is normal then i'm happy. I would just like to know if that is the case.

 

Most of the Soft page faults are of PrivateExtractIconsW ?

I wonder if that happens when viewing application filtering list throughout the windows session?

 

Most of the time I leave LnS iconified in the tool tray, opening it only when allowing/blocking certain ports. Other than that it sits quietly and does its job.

I have just noticed in the last day or so that it will either remove it's icon from the tool tray and or exit itself completely after I have brought up it's interface and made any change, such as clearing the log display, then minimizing it again.

I have to REstart it again.. really odd as it's been perfect for the last 5-6mths.

Tho I do not beleive the 2 events are related, just an odd trait.

and thanx much for quick response ! !

 

In Advanced Options, is there a check for 'Confirm on exit' ?

 

Yes "Confirm on Exit" is enabled

 

So I imagine that you check first the Task Manager Processes list to ensure ‘looknstop.exe’ is indeed exited fully? Perhaps if you hadn’t already, try installing Look ‘n’ Stop over the existing installation.

What version of Windows you running?

 

Hi OlderMan,

Maybe you have a lot of log entries ?

I've looked on different systems with task manager and the numbers are not so high. Explorer has ten times the number of LnS page faults on Win2000, and svchost is the winner on WinXP: 60 times the number of LnS.

Where can I find the pfmon utility ?

Thanks,

Frederic

 

http://support.microsoft.com/kb/927229

Page Fault Monitor (pfmon.exe): This command-line tool lets a developer or system administrator monitor page faults that occur when an application is running. Although you can easily resolve soft page faults with Virtual Memory Manager, you can use Pfmon to trace hard page faults. To download this tool, click the following link:

 

I am running winXP Pro SP2 with all current updates. Yes I check Taskmanager to verify that LnS has indeed exited.

I rebooted last nite and as of now(8:16pm EST) LnS shows 86,656 page faults

All the svchosts are much lower, the highest one is 18k.

I am using Corsair "TWINX1024-4000PRO" and have removed and REinstalled them into the others slots just to be sure all is ok and ran memtest all shows ok. The ram is in dual channel config. Not sure if any of that matters just giving all the info I can.

 

Hi,

Did you look at Look 'n' Stop log ?
If there is many packets, it can use a lot of memory and create page faults.
And by the way, what is the virtual memory usage of Look 'n' Stop when you detect this high page fault ?

Thanks,

Frederic

 

I have almost nothing showing in the log tab, as most logging has been turned off except a few of the major block rules. At the moment TaskManager shows

PageFaults ------- 371,681
VM Size ----------- 6,104k
Memory Useage ---- 4,240k
PeakMem Useage --- 9,592k

 

Hi,

I've reproduced this behaviour by having an application connecting/disconnecting continuously every second.

I got exactly the same kind of entries:
RtlAllocateHeap
RtlTimeToTimeFields
PrivateExtractIconsW

Each time an application connects/disconnects Look 'n' Stop adds it to the List of Active applications.
To do that there are some memory allocations and a call to SHGetFileInfo function to get the icon of the application. These calls create these 3 page faults. I don't know why and if this is normal or not.

Do you have also some applications connecting/disconnecting when you see these page faults ?

Frederic

 

Not That I am aware of, I will attempt to watch a bit closer.

Would this slow down LnS's response time and increase it's cpu usage ?

I just looked at the logs and saw entries that I do tend to get quite a few of.....

Outbound ETH to destination Address - FF:FF:FF:FF:FF:FF types 84 and 226.. they are blocked.

 

No, this is not linked to CPU usage which can remain very small.

I you have only a few of them, this is not linked.

Frederic

 

I show over 900 of them in a 2day period.

I also watched the App section and noticed in the ActiveAPP column the 'pml driver' seems to briefly flash every 6-7secs.

It flashes so quickly it is very hard to read but it looks like the PF's increase at that interval.

This may be off topic but is there a way to see or control apps that connect to the Intra-net vs. Internet ? kind of like ZonealarmPro has ?

Again thanx for quick response's !

 

Ok, probably 'pml driver' is connecting/disconnecting continuously and this causes the icon to be displayed/removed, and thus it creates PFs.

What is this 'pml driver' application ?

For a given application that has been allowed, you can control the IP and ports the application is allowed to use. If you know the IP used on the Intranet, normally you can use that to allow/block intranet/internet.
To just see IP & Port, click two times (not too quickly) on the log attribute to get the !!. The the log will then display additional information for that application.

Frederic

 

HP Printer Driver....

 

So for an allowed program I would need to create 2 rules ? 1 for Intranet and another for Internet ? i.e. allow xyz to have complete access to Intranet but only have Internet access when I allow it.

Also, when I 2xclick on an entry in LOG a 'packets content' window pops up, is that what you are trying to show me ? The same window as when I click on 'Look'.

And yes the PML driver is an HP printer control, an odd thing with that is even tho I have an rule to allow direct communication from my system to the printer(which has it's own Internal IP) once in a while it will ignore the rule and block the chatter and log it, even with the rule still enabled..Odd.

Is there any way to stop all the pageFaults ? short of disabling the PML driver ?

 

Hi OlderMan

No.
First the program must be allowed by the application filtering.

For the internet filtering;

If the program used only the TCP protocol may be allowed by a general rule "autorised common internet programs"
in TCP. incomming and outgoing packets, from your IP , local ports 1024 to 5000, remote ports all ...
This is a general rule for all programs allowed in the "application filtering"...

If the program:
used TCP and UDP
or
used UDP
or
used local ports other than 1024 to 5000
or
it's a server program
Then one or more specific rule must be created.
These rules are specific: the rule must include the program for which the rule is activated.

I don't understand what's your question...
If you click on the "packet content" button it shows you exactly what's you ask for:
it shows you the details about a packet...

No. This printer driver or utility must be authorised into the "application filtering tab".

I see you're looking closely to this specific feature of your system.
Let me remark that a large amount of Page Faults is not necessarly abnormal or a sign of somethings goings wrong...
Simply said: a page fault is not a fatal error...

A system with no page faults is impossible as far as I know.

I guess this problem must be looked an other way: did your system is working correctly?

There is a relation to the page fault and the virtual memory management.
Remember that the VM is equal to Physical Memory + Swap file on the disk...

Questions:

1- Did the physical memory (the RAM) was checked and founded error free
with MemTest +
http://www.memtest.org/

2- Did the Hard disk was check with chkdsk?

3- Did the VM is managed by the operating system or you determined the size of the pagefil.sys ?

Hope this help. Let us know.

 

After having my computer running for over a day period, page faults are currently at 117,969. This is actually relatively low giving the process running state (full time), not even having Internet Explorer v7 running for an hour and its page faults are currently at 198,912. And I dare tell you the Explorer.exe page faults, lol!

Would be nice to know the amount of RAM you have, and your virtual memory settings…

 

I have 1gig of ram 2x512(corsair TwinX) and I have a static 2gig Virtual memory.

The PML driver is in the App list and it is allowed.

Since I have alot(over 450) logged entries of that show my PC >>Internet with destination of FF:FF:FF:FF:FF:FF , Type=ETH-84(ethernet0054) blocked, could this be part of the high number of page faults ?
Seeing it does not point to my Printers IP it is not connected to that concern and I beleive that address is a Broadcast IP, i'm not sure what to do other that block it like I am.

Also when looking at the packet info window the 'Raw Content' button is supposed to do what ? nothing shows or changes when I click on it ?

Thanx guys for the help & info ! !

Just an quick edit -- Pagefaults are now at 2,170,336 if that is of any value..

 

Hi OlderMan,

No, for me, the PF are created by the continuous addition/removal of the PML application in the Connected Application list, in the Application Internet page.

If you block the application (just to test, assuming you don't need it to connect for some time), then it should stop.
This is what I observed with a test application I created, and I have exactly the same entries as you had, as I explained before.
And for these PFs entries, I'm not sure I can fix something since Look 'n' Stop just calls a Windows function that creates a PF each time it is called.

Regarding the "two clicks", this was not for the log page but for the application filtering page, when you asked me to know how to get the port/IP an application is using. For the log attribute, and for that application you should have "!!" and you get that by clicking two time on the log icon for that application (and two times not too quickly, otherwise the IP/Port selection application opens). You need to enable the advanced mode (from the advanced options dialog box to get that).

Frederic

 

OK if the PML is creating all these PF's then I need to get with HP and see if I can stop that program with no loss in useability.

Any idea on the FF:FF entries I am getting ? and what's the best way to deal with them.