Who is hogging My CPU:IE & SVCHOST acting for akamai ( Adobe download manager)

To find a change from  investigating client issues, today I decided to spend some time with my vista system analyzing its performance..

Thought of clearing the %temp% first.. Lot of active .tmp files where present.. That means.. I couldn't delete them..  Got curious about this and decided to investigate it further.. Fired up Process Explorer and Searched for .tmp file in the "Find Handle" option. To my great surprise, all those files were held up by Internet Explorer. I use IE8 on Vista..

I have lots of RSS feeds saved, so suspecting something related to that, decided to review the Feed reader configuration.. Dumb me.. It was accidently configured as 15 mts sync. with my 50+ feeds.. sycning every 15mts.. Now I know why sometimes my system was behaving really odd..

But that didn't answer the .TMP file question.. closed down all IE Windows.. and the files went off..Fired IE windows.. those files came up..
With each tab there were around 4 to 5 new .tmp files created.. So its not just the temporary internet files that IE uses for caching.. It uses
%temp%. Finding out the exact details of this behavior has been stored as a low priority item in my to do list..

I decided to move on.. Playing around with process explorer.. One application was taking so much of private bytes.. the process name was searchindexer.exe hosted as a service " Windows Search". So its the indexing service that is using some resources for searches that I rarely do.. Not a recommendation.. I decided to turn off the service for some days to monitor. The result is very evident..

The next biggest consumer was SVCHOST.EXE a poor generic service host who has to take blame of all the services it hosts.. Windows decided to go ahead with this multihost model to conserve resources..

But this time I am surprised, really really surprised..  As much as I read till this time, SVCHOST Can not be used by third parties to host their application..

And here is one Akmai Download Manager, which I installed to download an Adobe product ( Akmai is Adobe's download manager ) using SVCHOST to serve him..  On top of it, there were large context switches happening..



There weren't any  download happening at that time. So for sure the application was mis behaving.. There was an unistaller in the product folder using which I uninstalled the product.. I should say the system is much better now..

20 mts of small investigation using Process Explorer.. The system is back on feet.. but opened up a pandora's box full of questions to be answered...

Enabling extended logging for Windows Update Agent Service

The Windows Update Agent Service ( wuauserv ) is responsible for keeping the system updated by scanning the system for missing updates and installing those if properly configured to do so..

WSUS and the Windows Update Site uses this client agent to accomplish tasks.. If you are aware of MBSA, which is a Microsoft Tool to asses your system security compliance level, also uses the windows update agent for scanning. Additionally if you have any custom application which uses windows update APIs to perform scan / installation of updates also uses the same service..

Pretty critical eh.. It leaves behind a log file.. which is very difficult to decrypt for fresh eyes.. Even then some times the logged information proves insufficient to identifiy some issues..That is when you should be considering the extended logging option of Windows Update Agent.

How to do that ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Value name: Flags
Value type: REG_DWORD
Value data: 00000007

Value name: Level
Value type: REG_DWORD
Value data: 00000004

This registry key turns on an extended tracing to the %systemroot%\Windowsupdate.log file. Additionally, this registry key turns on an extended tracing to any attached debuggers.

Refer to the MS Documentation for additional details. http://support.microsoft.com/kb/902093

P.S. : While investigating a very peculiar MBSA Scan issue ( offline scan wouldn't work if network cable is disconnected.. Then why shoud it be called an offline scan right ? ). Once the extended scanning was enabled, it gave some references to the ipV6 interface not being up and stuff..

In windows xp, the ipV6 stack can be installed or removed easily by

c:\>ipv6 install

and

C:\> ipv6 uninstall

The system that gave issue did not have the ipv6 stack enabled. Taking clues from the log file, I enabled it and scan started working. .Not happy yet as I am yet to reach to the root cause.

Big Surprise! Where did the /etc/inittab file go ???

This is what happens when you switch technologies..

Its like going back to your old mate with out knowing what happened while you were away..

One file that my seniors/ Unix gurus @HCL adviced me to be very careful with is /etc/inittab while teaching me the ABC's of SCO Unix and Linux.. They said..

It is Systems Configuration Database.
The system (init process ) reads configuration from this file.
If this file is corrupt you are GONE.

I do respect my seniors and gurus.. I always used to take back up of those files before editing / changing them..

Time moved on.. My new role is purely a windows based role.. Since I knew nothing in windows, I had to put in lot of efforts to learn some thing about the OS.. Result, I had to leave my long time buddy, linux..

Old habits die hard.. When I got some spare time, I decided to install the latest Ubuntu version and try out my memory.. type couple of ls, clear commands.. ;-).. seeing the black screen I got nostalgic and missed the "vi" badly.. And how can I forget the /etc/inittab file.. Alas !! the file was not present..
I was pretty sure.. I am out now.. I knew a bit of linux... no longer true..

UPSTART he has taken my init away..

"Upstart is an event-based replacement for the /sbin/init daemon which handles starting of tasks and services during boot, stopping them during shutdown and supervising them while the system is running. "

Feature Highlights

• Tasks and Services are started and stopped by events


• Events are generated as tasks and services are started and stopped


• Events may be received from any other process on the system


• Services may be respawned if they die unexpectedly


• Supervision and respawning of daemons which separate from their parent process

Communication with the init daemon over D-Bus

Known Users

• Ubuntu 6.10 and later


• Fedora 9 and later


• Debian (as an option)


• Nokia's Maemo platform


• Palm's WebOS


• Google's Chrome OS

http://upstart.ubuntu.com/

Atleast now I will ask my friend who call me up still to find out if there are any linux residue left about the distribution they are using before asking them to edit the /etc/inittab..

Windows Task Manager "Mem Usage" and VM Size column

A quick post :-)

You know how to bring up the task manager.. ( refer http://sreekarun.livejournal.com/7267.html ) 

As mentioned in the blog, the Mem Usage gives you only the figure of amount of physical memory used or the working set.

The VM Size gives you the private bytes; The amount of virtual memory, or address space, committed to a process

Lets learn Windbg: the !cpuid extension

Its an effort to learn and document windbg extensions..

So here is the first one !cpuid

lkd> !cpuid

CP  F/M/S  Manufacturer     MHz  
0  6,23,6  GenuineIntel    2394  
1  6,23,6  GenuineIntel    2393

the first lkd> means the current debug session is a local kernal debugging. How do we do that ? Open Windgb; Select File -> Kernal Debug and select local. 

Well I have seen this doesnt work with Vista normally. And as you can see, other options are remote kernal debugging which include COM, 1394, USB 2.0  and ET ( yes you can do it over TCP/IP as well )