如何删除dllhost.exe和svchost.exe??

lianshe 2003-11-19 01:26:08
如何删除dllhost.exe和svchost.exe??
...全文
371 6 打赏 收藏 转发到动态 举报
写回复
用AI写文章
6 条回复
切换为时间正序
请发表友善的回复…
发表回复
trendcom 2003-11-19
  • 打赏
  • 举报
 回复
再打补丁
icuc88 2003-11-19
  • 打赏
  • 举报
 回复
不用删除,这个是系统文件。

如果在%Systemroot%\system32\wins下面,

进入安全模式

cd %Systemroot%\system32\wins
attrib -r -h -s *.*
del *.*
治保有方 2003-11-19
  • 打赏
  • 举报
 回复
你感染了蠕虫或其变种,请去金山网站下载“冲击波”专杀工具,杀毒后,再打上~RPC系统补丁。
要手工删除,可采用如下步骤:
DOS环境下清除该病毒:
1.当用户中招出现以上现象后,用DOS系统启动盘启动进入DOS环境下,进入C盘的操作系统目操作命令集:
C:
CD C:\windows (或CD c:\winnt)

2. 查找目录中的“msblast.exe”病毒文件。
命令操作集:
dir msblast.exe /s/p

3.找到后进入病毒所在的子目录,然后直接将该病毒文件删除。
Del msblast.exe
手工删除该病毒可能造成系统不稳定等后果,劝不要使用。

linttt 2003-11-19
  • 打赏
  • 举报
 回复
楼主是否感染了welchina.worm,我用norton在安全模式下也无法删除上述两文件
用干净的DOS盘引导系统,在dos下删除即可
若为NTFS文件系统,则需摘硬盘挂到其他2k或xp上杀之
zy8197 2003-11-19
  • 打赏
  • 举报
 回复
先将时间改为2005年的某一天,然后到安全模式下面在c:\winnt\system32\wins下将两个文件删除,然后用新杀毒软件杀一变毒就
reayi 2003-11-19
  • 打赏
  • 举报
 回复
c:\WINNT\system32\wins下的dllhost.exe和svchost.exe可以删除,通过修改他们的只读属性,
Windows系统进程详解
smss.exe  Session Manager 这个进程是不可以从任务管理器中关掉的。 这是一个会话管理子系统,负责启动用户会话。这个进程是通过系统进程初始化的并且对许多活动的, 包括已经正在运行的Winlogon,Win32(Csrss.exe)线程和设定的系统变量作出反映。在它启动这些进程后,它等待Winlogon或者Csrss结束。如果这些过程时正常的,系统就关掉了。如果发生了什么不可预料的事情,smss.exe就会让系统停止响应(就是挂起)。 spoolsv.exe 这个进程是不可以从任务管理器中关掉的。 缓冲(spooler)服务是管理缓冲池中的打印和传真作业。 service.exe 这个进程是不可以从任务管理器中关掉的。 大多数的系统核心模式进程是作为系统进程在运行。 包含很多系统服务 csrss.exe 子系统服务器进程 winlogon.exe 管理用户登录和推出的。而且winlogon在用户按下CTRL+ALT+DEL时就激活了,显示安全对话框。 winmgmt.exe win2000客户端管理的核心组件。当客户端应用程序连接或当管理程序需要他本身的服务时这个进程初始化 lsass.exe 这个进程是不可以从任务管理器中关掉的。 这是一个本地的安全授权服务,并且它会为使用winlogon服务的授权用户生成一个进程。这个进程是过使用授权的包,例如默认的msgina.dll来执行的。如果授权是成功的,lsass就会产生用户的进入令牌,令牌别使用启动初始的shell。其他的由用户初始化的进程会继承这个令牌的。 svchost.exe 包含很多系统服务 !!!->eventsystem,(SPOOLSV.EXE 将文件加载到内存中以便迟后打印等。)(附:Svchost.exe文件对那些从动态连接库中运行的服务来说是一个普通的主机进程名。Svhost.exe文件定位在系统的 %systemroot%\system32文件夹下。在启动的时候,Svchost.exe检查注册表中的位置来构建需要加载的服务列表。这就会使 多个Svchost.exe在同一时间运行。每个Svchost.exe的回话期间都包含一组服务, 以至于单独的服务必须依靠Svchost.exe怎样和在那里启动。这样就更加容易控制和查找错误. Svchost.exe 组是用下面的注册表值来识别。 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost 每个在这个键下的值代表一个独立的Svchost组,并且当你正在看活动的进程时,它显示作为一个单独的 例子。每个键值都是REG_MULTI_SZ类型的值而且包括运行在Svchost组内的服务。每个Svchost组都包含一个 或多个从注册表值中选取的服务名,这个服务的参数值包含了一个ServiceDLL值。 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service explorer.exe 资源管理器 (internat.exe 托盘区的拼音图标) 就像任务条,桌面等等。这个进程并不是像你想象的那样是作为一个重要的进程运行在windows中,你可以从任务管理器中停掉它,或者重新启动。 通常不会对系统产生什么负面影响。 taskmagr.exe 这个进程就是任务管理器。 System Idle Process 这个进程是不可以从任务管理器中关掉的。 这个进程是作为单线程运行在每个处理器上,并在系统不处理其他线程的时候分派处理器的时间。 mstask.exe 这个进程是不可以从任务管理器中关掉的。 这是一个任务调度服务,负责用户事先决定在某一时间运行的任务的运行。 internat.exe 这个进程是可以从任务管理器中关掉的。 internat.exe在启动的时候开始运行。它加载由用户指定的不同的输入点。输入点是从注册表的这个位置HKEY_USERS\.DEFAULT\Keyboard Layout\Preload 加载内容的。 internat.exe 加载“EN”图标进入系统的图标区,允许使用者可以很容易的转换不同的输入点。 当进程停掉的时候,图标就会消失,但是输入点仍然可以通过控制面板来改变。 附加的系统进程(这些进程不是必要的,你可以根据需要通过服务管理器来增加或减少) regsvc.exe 允许远程注册表操作。(系统服务)->remoteregister winmgmt.exe 提供系统管理信息(系统服务):netinfo.exe->msftpsvc,w3svc,iisadmn tlntsvr.exe->tlnrsvr tftpd.exe 实现 TFTP Internet 标准。该标准不要求用户名和密码。远程安装服务的一部分。(系统服务) termsrv.exe ->termservice dns.exe 应答对域名系统(DNS)名称的查询和更新请求。(系统服务) 以下全是系统服务,并且很少会用到,如果你暂时用不着,应该关掉(对安全有害 ) tcpsvcs.exe  提供在 PXE 可远程启动客户计算机上远程安装 Windows 2000 Professional的能力。(系统服务)->simptcp 支持以下 TCP/IP 服务:Character Generator, Daytime, Discard, Echo, 以及 Quote of the Day。(系统服务) ismserv.exe  允许在 Windows Advanced Server 站点间发送和接收消息。(系统服务) ups.exe   管理连接到计算机的不间断电源(UPS)。(系统服务) wins.exe   为注册和解析 NetBIOS 型名称的 TCP/IP 客户提供 NetBIOS 名称服务。(系统服务) llssrv.exe   License Logging Service(system service) ntfrs.exe   在多个服务器间维护文件目录内容的文件同步。(系统服务) RsSub.exe   控制用来远程储存数据的媒体。(系统服务) locator.exe   管理 RPC 名称服务数据库.->rpclocator(区 RpcSs) lserver.exe   注册客户端许可证。(系统服务) dfssvc.exe   管理分布于局域网或广域网的逻辑卷。(系统服务) clipsrv.exe   支持"剪贴簿查看器",以便可以从远程剪贴簿查阅剪贴页面。(系统服务) msdtc.exe   并列事务,是分布于两个以上的数据库,消息队列,文件系统,或其它事务保护资源管理器。(系统服务) faxsvc.exe   帮助您发送和接收传真。(系统服务) cisvc.exe   Indexing Service(system service)!!! dmadmin.exe   磁盘管理请求的系统管理服务。(系统服务) mnmsrvc.exe   允许有权限的用户使用 NetMeeting 远程访问 Windows 桌面。(系统服务) netdde.exe   提供动态数据交换 (DDE) 的网络传输和安全特性。(系统服务) smlogsvc.exe   配置性能日志和警报。(系统服务) rsvp.exe   为依赖质量服务(QoS)的程序和控制应用程序提供网络信号和本地通信控制安装功能。(系统服务) RsEng.exe   协调用来储存不常用数据的服务和管理工具。(系统服务) RsFsa.exe   管理远程储存的文件的操作。(系统服务) grovel.exe   扫描零备份存储(SIS)卷上的重复文件,并且将重复文件指向一个数据存储点,以节省磁盘空间。(系统服务) SCardSvr.exe   对插入在计算机智能卡阅读器中的智能卡进行管理和访问控制。(系统服务) snmp.exe   包含代理程序可以监视网络设备的活动并且向网络控制台工作站汇报。(系统服务) snmptrap.exe   接收由本地或远程 SNMP 代理程序产生的陷阱消息,然后将消息传递到运行在这台计算机上 SNMP 管理程序。(系统服务) UtilMan.exe   从一个窗口中启动和配置辅助工具。(系统服务) msiexec.exe   依据 .MSI 文件中包含的命令来安装、修复以及删除软件。(系统服务) dllhost.exe   win2000的话,一般是组件com调用的需要dllhost装入内存。所以dllhost.exe负责asp3.0组件装入内存。iis启动后。有一个大约20mb左右的dllhost。如果你的web应用程序不能释放内存。如关掉数据库连接,释放对象。这个dllhost会越来越大。还有一个dllhost是。web客户端的。大约5mb左右。用多层构架的概念来理解,就是一个是dllhost存根,一个是dllhost骨干。com远程访问缺一不可。
进程管理经典软件MFC
新闻网页贴吧知道MP3图片视频百科文库 帮助设置 首页 自然 文化 地理 历史 生活 社会 艺术 人物 经济 科学 体育 欧冠 核心用户 进程管理 百科名片 引是正在运行的程序实体,并且包括这个运行的程序中占据的所有系统资源,比如说CPU(寄存器),IO,内存,网络资源等。很多人在回答进程的概念的时候,往往只会说它是一个运行的实体,而会忽略掉进程所占据的资源。比如说,同样一个程序,同一时刻被两次运行了,那么他们就是两个独立的进程。linux下查看系统进程的命令是ps。 目录 进程的分类1.基本系统进程 2.常见系统进程解释 (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) 进程管理进程的分类 1.基本系统进程 2.常见系统进程解释 (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) 进程管理 展开 编辑本段进程的分类 1.基本系统进程   Csrss.exe:这是子系统服务器进程,负责控制Windows创建或删除线程以及16位的虚拟DOS环境。   System Idle Process:这个进程是作为单线程运行在每个处理器上,并在系统不处理其它线程的时候分派处理器的时间。   Smss.exe:这是一个会话管理子系统,负责启动用户会话。   Services.exe:系统服务的管理工具。   Lsass.exe:本地的安全授权服务。   Explorer.exe:资源管理器。   Spoolsv.exe:管理缓冲区中的打印和传真作业。   Svchost.exe:这个进程要着重说明一下,有不少朋友都有这种错觉:若是在“任务管理器”中看到多个Svchost.exe在运行,就觉得是有病毒了。其实并不一定,系统启动的时候,Svchost.exe将检查注册表中的位置来创建需要加载的服务列表,如果多个Svchost.exe同时运行,则表明当前有多组服务处于活动状态;多个DLL文件正在调用它。 2.常见系统进程解释 (1)   system process   进程文件: system process   进程名称: Windows内存处理系统进程   描述: Windows页面内存管理进程,拥有0级优先。   是否为系统进程: 是 (2)   alg.exe   进程文件: alg or alg.exe   进程名称: 应用层网关服务   描述: 这是一个应用层网关服务用于网络共享。   是否为系统进程: 是 (3)   csrss.exe   进程文件: csrss or csrss.exe   进程名称: Client/Server Runtime Server Subsystem   描述: 客户端服务子系统,用以控制Windows图形相关子系统。   是否为系统进程: 是 (4)   ddhelp.exe   进程文件: ddhelp or ddhelp.exe   进程名称: DirectDraw Helper   描述: DirectDraw Helper是DirectX这个用于图形服务的一个组成部分。   是否为系统进程: 是 (5)   dllhost.exe   进程文件: dllhost or dllhost.exe   进程名称: DCOM DLL Host进程   描述: DCOM DLL Host进程支持基于COM对象支持DLL以运行Windows程序。   是否为系统进程: 是 (6)   inetinfo.exe   进程文件: inetinfo or inetinfo.exe   进程名称: IIS Admin Service Helper   描述: InetInfo是Microsoft Internet Infomation Services (IIS)的一部分,用于Debug调试除错。   是否为系统进程: 是 (7)   internat.exe   进程文件: internat or internat.exe   进程名称: Input Locales   描述: 这个输入控制图标用于更改类似国家设置、键盘类型和日期格式。   是否为系统进程: 是 (8)   kernel32.dll   进程文件: kernel32 or kernel32.dll   进程名称: Windows壳进程   描述: Windows壳进程用于管理多线程、内存和资源。   是否为系统进程: 是 (9)   lsass.exe   进程文件: lsass or lsass.exe   进程名称: 本地安全权限服务   描述: 这个本地安全权限服务控制Windows安全机制。   是否为系统进程: 是 (10)   mdm.exe   进程文件: mdm or mdm.exe   进程名称: Machine Debug Manager   描述: Debug除错管理用于调试应用程序和Microsoft Office中的Microsoft Script Editor脚本编辑器。   是否为系统进程: 是 (11)   mmtask.tsk   进程文件: mmtask or mmtask.tsk   进程名称: 多媒体支持进程   描述: 这个Windows多媒体后台程序控制多媒体服务,例如MIDI。   是否为系统进程: 是 (12)   mprexe.exe   进程文件: mprexe or mprexe.exe   进程名称: Windows路由进程   描述: Windows路由进程包括向适当的网络部分发出网络请求。   是否为系统进程: 是 (13)   msgsrv32.exe   进程文件: msgsrv32 or msgsrv32.exe   进程名称: Windows信使服务   描述: Windows信使服务调用Windows驱动和程序管理在启动。   是否为系统进程: 是 (14)   mstask.exe   进程文件: mstask or mstask.exe   进程名称: Windows计划任务   描述: Windows计划任务用于设定继承在什么时间或者什么日期备份或者运行。   是否为系统进程: 是 (15)   regsvc.exe   进程文件: regsvc or regsvc.exe   进程名称: 远程注册表服务   描述: 远程注册表服务用于访问在远程计算机的注册表。   是否为系统进程: 是 (16)   rpcss.exe   进程文件: rpcss or rpcss.exe   进程名称: RPC Portmapper   描述: Windows 的RPC端口映射进程处理RPC调用(远程模块调用)然后把它们映射给指定的服务提供者。   是否为系统进程: 是 (17)   services.exe   进程文件: services or services.exe   进程名称: Windows Service Controller   描述: 管理Windows服务。   是否为系统进程: 是 (18)   smss.exe   进程文件: smss or smss.exe   进程名称: Session Manager Subsystem   描述: 该进程为会话管理子系统用以初始化系统变量,MS-DOS驱动名称类似LPT1以及COM,调用Win32壳子系统和运行在Windows登陆过程。   是否为系统进程: 是 (19)   snmp.exe   进程文件: snmp or snmp.exe   进程名称: Microsoft SNMP Agent   描述: Windows简单的网络协议代理(SNMP)用于监听和发送请求到适当的网络部分。   是否为系统进程: 是 (20)   spool32.exe   进程文件: spool32 or spool32.exe   进程名称: Printer Spooler   描述: Windows打印任务控制程序,用以打印机就绪。   是否为系统进程: 是 (21)   spoolsv.exe   进程文件: spoolsv or spoolsv.exe   进程名称: Printer Spooler Service   描述: Windows打印任务控制程序,用以打印机就绪。   是否为系统进程: 是 (22)   stisvc.exe   进程文件: stisvc or stisvc.exe   进程名称: Still Image Service   描述: Still Image Service用于控制扫描仪和数码相机连接在Windows。   是否为系统进程: 是 (23)   svchost.exe   进程文件: svchost or svchost.exe   进程名称: Service Host Process   描述: Service Host Process是一个标准的动态连接库主机处理服务。   是否为系统进程: 是 (24)   system   进程文件: system or system   进程名称: Windows System Process   描述: Microsoft Windows系统进程。   是否为系统进程: 是 (25)   taskmon.exe   进程文件: taskmon or taskmon.exe   进程名称: Windows Task Optimizer   描述: windows任务优化器监视你使用某个程序的频率,并且通过加载那些经常使用的程序来整理优化硬盘。   是否为系统进程: 是 (26)   tcpsvcs.exe   进程文件: tcpsvcs or tcpsvcs.exe   进程名称: TCP/IP Services   描述: TCP/IP Services Application支持透过TCP/IP连接局域网和Internet。   是否为系统进程: 是 (27)   winlogon.exe   进程文件: winlogon or winlogon.exe   进程名称: Windows Logon Process   描述: Windows NT用户登陆程序。   是否为系统进程: 是 (28)   winmgmt.exe   进程文件: winmgmt or winmgmt.exe   进程名称: Windows Management Service   描述: Windows Management Service透过Windows Management Instrumentation data (WMI)技术处理来自应用客户端的请求。   是否为系统进程: 是 编辑本段进程管理   操作系统的职能之一,主要是对处理机进行管理 。为了提高CPU的利用率而采用多道程序技术。通过进程管理来协调多道程序之间的关系,使CPU得到充分的利用。
追风少年-系统优化方案(XP_2003)
追风少年-系统优化方案(XP_2003) 在运行中输入(services.msc)回车,会看到本地服务的框线,tab一次就是列表:   01.显示名称:alerter   ◎进程名称:svchost.exe -k LocalService   ◎微软描述:通知所选用户和计算机有关系统管理级警报。如果服务停止,使用管理警报的程序将不会收到它们。如果此服务被禁用,任何直接依赖它的服务都将不能启动。   ◎补充描述:警报器。该服务进程名为Services.exe,一般家用计算机根本不需要传送或接收计算机系统管理来的警示(Administrativealerts),除非你的计算机用在局域网络上。   ◎默认:禁用 建议:禁用   02.显示名称:Application Layer Gateway Service   ◎进程名称:alg.exe -k Local Service   ◎微软描述:为 Internet 连接共享和 Windows 防火墙提供第三方协议插件的支持。   ◎补充描述:XP SP2自带的防火墙,如果不用可以关掉。   ◎默认:手动(已启动) 建议:禁用   03.显示名称:Application Management   ◎进程名称:svchost.exe -k netsvcs   ◎微软描述:提供软件安装服务,诸如分派,发行以及删除。   ◎ 补充描述:应用程序管理。从Windows2000开始引入的一种基于msi文件格式的全新有效软件管理方案:程序管理组件服务。该服务不仅可以管理软件的安装、删除,还可以使用此服务修改、修复现有应用程序,监视文件复原并通过复原排除基本故障等,软件安装变更的服务。   ◎默认:手动 建议:手动   04.显示名称:Automatic Updates   ◎进程名称:svchost.exe -k netsvcs   ◎微软描述:允许下载并安装 Windows 更新。如果此服务被禁用,计算机将不能使用 Windows Update 网站的自动更新功能。   ◎补充描述:自动更新,手动就行,需要的时候打开,没必要随时开着。 不过2005年4月12日以后微软将对没有安装SP2的WindowsXP操作系统强制安装系统补丁SP2。   ◎默认:自动 建议:手动   05.显示名称:Background Intelligent Transfer Service   ◎进程名称:svchost.exe -k netsvcs   ◎微软描述:在后台传输客户端和服务器之间的数据。如果禁用了 BITS,一些功能,如 Windows Update,就无法正常运行。   ◎补充描述:经由HTTP1.1在背景传输资料的东西,例如 Windows Update 就是以此为工作之一。这个服务原是用来实现http1.1服务器之间的信息传输,微软称支持windows更新时断点续传。   ◎默认:手动 建议:手动   06.显示名称:ClipBook   ◎进程名称:clipsrv.exe   ◎微软描述:启用“剪贴簿查看器”储存信息并与远程计算机共享。如果此服务终止,“剪贴簿查看器” 将无法与远程计算机共享信息。如果此服务被禁用,任何依赖它的服务将无法启动。   ◎补充描述:剪贴簿。把剪贴簿内的信息和其它台计算机分享,一般家用计算机根本用不到。   ◎默认:禁用 建议:禁用   07.显示名称:COM+ Event System   ◎进程名称:svchost.exe -k netsvcs   ◎微软描述:支持系统事件通知服务(SENS),此服务为订阅组件对象模型(COM) 组件事件提供自动分布功能。如果停止此服务,SENS 将关闭,而且不能提供登录和注销通知。如果禁用此服务,显式依赖此服务的其他服务将无法启动。   ◎补充描述:COM+ 事件系统。有些程序可能用到 COM+ 组件,如自己的系统优化工具BootVis。检查系统盘的目录“C:\Program Files\ComPlus Applications”,没东西可以把这个服务关闭。   ◎默认:手动(已启动) 建议:手动   08.显示名称:COM+ System Application   ◎进程名称:dllhost.exe /Processid:   ◎微软描述:管理 基于COM+ 组件的配置和跟踪。如果服务停止,大多数基于COM+ 组件将不能正常工作。如果本服务被禁用,任何明确依赖它的服务都将不能启动。   ◎ 补充描述:如果 COM+ Event System 是一台车,那么 COM+ SystemApplication 就是司机,如事件检视器内显示的 DCOM 没有启用,则会导致一些 COM+软件无法正常运行。检查系统盘的目录“C:\Program Files\ComPlus Applications”,没东西可以把这个服务关闭。   ◎默认:手动 建议:手动   09.显示名称:Computer Browser
McAfee 8.0 简体中文
McAfee(R) VirusScan(R) Enterprise 8.0i 版 发行说明 Copyright (C) 2004 Networks Associates Technology, Inc. 保留所有权利 ==================================================================== - DAT 版本: 4382 - 引擎版本: 4.3.20 ==================================================================== 感谢您使用 VirusScan Enterprise 软件。 本文件包含有关这一版本的重 要信息。我们强烈建议您阅读整篇文档。 重要信息: McAfee 不支持软件预发布版本的自动升级功能。要升级为正式产品,必 须首先卸载现有版本的软件。 _____________________________________________________________________ 本文件包含的内容 - 新功能 - 更改的功能 - 安装和系统要求 - 测试安装 - 已解决的问题 - 已知问题 - 安装、升级和卸载 - 与其他产品的兼容性 - Alert Manager (TM) - Common Management Agent - ePolicy Orchestrator(R) - GroupShield(TM) - ProtectionPilot(TM) - 第三方软件 - 访问保护 - 增添文件类型扩展名 - AutoUpdate - 缓冲区溢出保护 - 日志文件格式 - Lotus Notes - 镜像任务 - 扫描 - 有害程序策略 - 文档 - 参与 McAfee 测试程序的测试 - 联系信息 - 版权和商标归属 - 许可和专利信息 __________________________________________________________________ 新功能 本版本 VirusScan Enterprise 提供以下几种新功能,这些功能可以有助于 防止入侵,并更有效地检测入侵: - 产品版本号 新版本为 8.0i。 产品版本号已经从 7.1 更改为 8.0,这一更改反映了自上次发布以来产 品内部功能的重大更改。 有关详细信息,请参阅以下"新功能"和"更改 的功能"部分。 产品版本号增加"i"表示 McAfee VirusScan Enterprise 是全球第 一款提供主动式入侵防护系统 (IPS) 保护能力的防病毒产品。这些 IPS 功能是由 McAfee Entercept 的"缓冲区溢出保护"功能提供的, McAfee Entercept 是我们的主机入侵防护安全产品。 - 访问保护。 通过此功能您可以限制对端口、文件、共享资源和文件夹的访问,从而防止 入侵。 通过创建规则指定要阻挡的端口以及是否限制对入站或出站进程的访问,可 以阻挡端口。如果您希望允许一个特定进程或一组进程访问准备阻挡的端口, 也可以从规则中排除这些进程。 阻挡端口时,即同时阻挡 TCP 和 UDP 访问。 您可以通过将共享资源设置为只读或阻止对所有共享资源的读取和写入,限 制对共享资源的访问。 您可以通过创建规则阻挡文件和文件夹,规则指定禁止对您定义的文件或文 件夹进行访问的进程、禁止的文件操作以及在某人尝试访问阻挡的项目时应 采取的操作。 这些"访问保护"功能在防范入侵时非常有效。在病毒发作时,管理员可以 阻止对感染病毒区域的访问,直到发布新的 DAT。 注: 如果您阻挡 ePolicy Orchestrator 代理或 Entercept 代理 使用的端口,则代理的进程受到过滤器信任,可以与被阻挡的端口进 行通讯。但是,与这些代理进程无关的通讯将被阻挡。 本版 VirusScan Enterprise 提供了一些端口阻挡规则样本、文件和 文件夹阻挡规则样本。 默认安装本产品时,这些规则中有些会处于警告模 式,而有些则处于阻挡模式。 警告: 虽然采用这些规则的目的是防范各种常见的威胁,但是,也会阻挡合 法的活动。在部署 VirusScan Enterprise 之前,我们建议您查 看一下这些规则,确保它们适合于您的网络环境。 需要考虑的事项: - 白名单。每条端口阻挡规则均包括一些排除在阻挡范围之外的应用程 序。这些列表一般包含多数最常见的电子邮件客户端和 web 浏览器。 请务必查看每个列表,确保其中包含允许发送电子邮件和下载文件 的所有程序。将这些程序列入白名单,确保这些程序不被阻挡。 - 对网络上发生的文件系统活动的阻挡。 某些规则(例如,"禁止远程 创建/修改/删除文件(.exe)")对于阻止自身从一个共享资源复制 到另一个共享资源的病毒非常有效。但是,它们也可能会阻挡那些依 靠将文件推入工作站进行工作的管理系统。例如,在 ePolicy Orchestrator 服务器部署代理时,就是将代理安装程序推送到工 作站的管理共享资源上并运行该程序。在部署之前,请确保为每个规 则选择正确的模式(关闭、警告或阻挡)。 McAfee Installation Designer 可以用于配置 VirusScan 部 署软件包。 警告: 默认规则无法为您的网络环境提供全面的保护。 您所需的限制取决于 您的环境。我们提供的规则的目在于通过示例说明该功能的作用以及 如何利用规则防止某些特定的威胁。 发现新的威胁时,病毒信息库将向您提供建议,告诉您如何利用访问 保护规则阻挡这些新威胁。请访问以下位置的病毒信息库: http://vil.mcafee.com - 源 IP (按访问扫描)。 按访问扫描程序检测到写入共享文件的病毒时,它会在按访问扫描统计信息 对话框和按访问扫描信息对话框中显示检测到的病毒的源 IP 地址。 - 阻挡(按访问扫描)。 使用此功能可以阻挡在共享文件夹中放置了含有已感染病毒文件的远程计 算机的进一步访问。您可以指定阻挡这些连接的时间长短。如果您希望在指 定的时间限制之前取消阻挡所有的连接,您可以在按访问扫描统计对话框中 进行此操作。 - 缓冲区溢出保护。 "缓冲区溢出保护"可以阻止利用缓冲区溢出在计算机上执行代码。此功能 会检测到从堆栈中的数据开始运行的代码,并阻止该代码运行。但是,此功 能不阻止数据写入堆栈。即使"缓冲区溢出保护"功能会阻止受到利用的代 码运行,也不要指望受到利用的应用程序仍然会保持稳定。 VirusScan Enterprise 为大约 30 种最常用且最容易受利用的软件应用程 序及微软 Windows 服务提供缓冲区溢出保护。这些受保护的应用程序在一 个单独的缓冲区溢出保护特征码文件中定义。此 DAT 文件在常规更新期间 随病毒特征码文件一起下载。到本产品发布之日为止,缓冲区溢出保护码文 件中包括以下应用程序: - dllhost.exe - EventParser.exe - excel.exe - explorer.exe - frameworkservice.exe - ftp.exe - iexplore.exe - inetinfo.exe - lsass.exe - mapisp32.exe - mplayer2.exe - msaccess.exe - msimn.exe - mstask.exe - msmsgs.exe - NaimServ.exe - Naprdmgr.exe - Outlook.exe - powerpnt.exe - rpcss.exe - services.exe - sqlservr.exe - SrvMon.exe - svchost.exe - visio32.exe - VSEBOTest.exe - w3wp.exe - winword.exe - wmplayer.exe - wuauclt.exe 缓冲区溢出保护定义文件更新时,此列表也会进行相应的更改。 - 有害程序策略。 使用此功能可以检测到有害程序(例如, Jspyware、adware、dialers、 jokes 等),并对其执行相应的操作。 您可以从当前 -.DAT 文件的预定义列表中选择程序所有类别或这些类别 中的特定程序。也可以添加自己的程序进行检测。 配置分两步进行: - 首先,在"有害程序策略"中配置要检测的程序。默认情况下,此策 略在每个扫描程序属性页中是启用的。 - 其次,逐一配置每个扫描程序(按访问扫描程序、按需扫描程序和电 子邮件扫描程序),并指定在检测到有害程序时扫描程序要执行的操 作。在此处指定的操作与其他扫描设置无关。 对有害程序的实际检测和随后的清除均由 -.DAT 文件决定,正如对病毒 的处理一样。如果检测到有害程序且主要操作设置为"清除",则 -.DAT 文 件会尝试使用 -.DAT 文件中的信息对程序进行清除操作。如果无法清除 检测到的程序,或者不在 -.DAT 文件中(例如用户定义的程序),则清 除操作会失败,并转而执行辅助操作。如果您选择"删除"操作,则仅删除 定义为有害的程序,而遭到修改的注册表键可能会保持不变。 - 脚本扫描(按访问扫描)。 使用此功能可以在执行 JavaScript 和 VBScript 脚本之前对其进行 扫描。脚本扫描程序能够象真正的 Windows 脚本主机组件的代理组件一 样运行。它可以阻止脚本(例如 Internet Explorer 网页脚本)的执 行并对其进行扫描。如果脚本不含有病毒,则将其传送给真正的主机。如果 脚本已感染病毒,则不执行脚本。 - Lotus Notes(电子邮件扫描)。 除基于 MAPI 的电子邮件(例如,Microsoft Outlook)之外,电子邮 件传递扫描程序和按需电子邮件扫描程序现在均扫描 Lotus Notes 邮件 和数据库。 您可以配置一系列属性,应用于所安装的任何电子邮件客户端。 客户端扫描程序具有不同的特点,在《产品指南》的"电子邮件扫描"部分 有此方面的介绍。例如,Microsoft Outlook 邮件在传递时扫描,而 Lotus Notes 邮件则在访问时扫描。 - 选择性更新 (AutoUpdate)。 在 VirusScan 控制台中使用 AutoUpdate 任务有选择地仅更新 DAT 文 件、扫描引擎、产品升级、HotFix、补丁程序或 Service Pack 等。 如果您通过 ePolicy Orchestrator 管理 VirusScan Enterprise, 则只有 ePolicy Orchestrator 3.5 或更高版本才提供此选择性更新 功能。早期版本的 ePolicy Orchestrator 不支持此功能。 - Alert Manager 本地警报。 无需本地安装 Alert Manager 服务器,即可生成 SNMP 陷阱和本地事 件日志条目。 - 修复安装。 通过 VirusScan 控制台"帮助"菜单中的新菜单项,您可以修复安装。 您可以选择将产品恢复为原始安装设置,或重新安装程序文件。 用户必须具有管理权限才能执行这些功能。 管理员可以对此功能进行保护, 即在"用户界面选项"的"密码选项"对话框中为其设置密码。 警告: 将产品恢复为原始安装设置时,自定义的设置会丢失。 重新安装程序文件时,将覆盖 HotFix、补丁程序和 Service Pack。 - 错误报告服务。 错误报告服务启用后,可以提供对 Network Associates 应用程序的持 续后台监控功能,并在检测到问题时提示用户。检测到错误时,用户可以选 择提交数据进行分析或忽略该错误。在 VirusScan 控制台的"工具"中 启用"错误报告服务"。 ______________________________________________________________________ 更改的功能 自上次发布 VirusScan Enterprise 以来,以下功能已发生更改: - 每天更新 (AutoUpdate)。 默认 AutoUpdate 任务时间安排已经从每周更改为每天。当然,管理员 可以修改该时间安排。 - 默认下载站点 (AutoUpdate)。 执行 AutoUpdate 时,现在默认的下载站点为 HTTP 站点,FTP 站点 作为辅助站点。 有关详细说明,请参阅《VirusScan Enterprise 产 品指南》。 - 系统使用率(按需扫描)。 CPU 使用率已更改为系统使用率。 按需扫描启动后,该功能会采集最初 30 秒钟内的 CPU 和 IO 样本,然后根据您在按需扫描属性中指定的使用率 水平进行扫描。这样更为符合实际需要,我们可以根据 CPU 和 IO 的使 用率平衡利用 CPU 和磁盘资源。 - 可恢复的扫描。 经过更改后,按需扫描程序可以执行真正的可恢复扫描。如果在完成扫描之 前中断扫描,则扫描程序会从扫描中断处自动恢复扫描。扫描程序的增量扫 描功能能够识别上一次扫描的文件,因此下次扫描启动时,可以从中断处恢 复扫描。 - 压缩文件扫描。 本版本从扫描选项中删除了"扫描压缩的文件"选项,因为该功能已经在每 种扫描程序中永久性启用了。扫描程序始终会扫描压缩文件。 ______________________________________________________________________ 安装和系统要求 有关安装和系统要求的完整信息,请参阅产品文档。 测试安装 您可以通过在已经安装本软件的任何计算机上运行 EICAR 标准防病毒测试文件, 测试软件的运行情况。EICAR 标准防病毒测试文件是全世界防病毒产品厂商 共同努力的成果,它使客户可以按照一个统一标准验证其安装的防病毒产品。 要测试安装,请: 1. 将下面一行文字复制到一个独立文件中,然后以 EICAR.COM 名称保存该 文件。 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 该文件的大小为 68 或 70 字节。 2. 启动防病毒软件,让它扫描 EICAR.COM 所在的目录。 VirusScan Enterprise 扫描此文件时,它会报告发现 EICAR 测试文 件。 3. 测试完安装的软件后,请删除该文件,以避免对正常用户发出警告。 重要信息: 请注意,此文件并非病毒。 _____________________________________________________________________ 已解决的问题 下面介绍本软件产品以前版本中存在但当前版本中已解决的问题。 1. 问题: VirusScan Enterprise 7.1 按访问扫描程序会对其他 McAfee防病 毒或安全产品的隔离文件夹中包含的数据执行操作,除非从扫描任务中排 除那些文件夹。例如,如果您在已经安装 VirusScan Enterprise 的 同一台计算机上使用 McAfee GroupShield 或 IntruShield,则它 们各自的隔离文件夹可能会包含合法的感染病毒的数据。这些隔离文件夹 应该从按访问扫描任务中排除,以避免清除、删除或移动合法的感染病毒的 数据。 解决方案: 安装程序会检测到其他产品并为其添加排除项。 2. 问题: 对于使用 ePolicy Orchestrator 3.0 创建和部署的按需扫描任务, 可恢复扫描不起作用。 如果在 ePolicy Orchestrator 中创建的按需 扫描在扫描完成之前即结束(由于系统关闭等),就会出现这种问题。按需 扫描任务再次启动时,它会再次从开始位置扫描,而不是从最后扫描的文件 恢复扫描。 解决方案: 对于使用 ePolicy Orchestrator 3.0 创建和部署的按需扫描任务, 可恢复扫描工作正常。 3. 问题: 具有用户权限(相对于具有管理员权限的管理员)的用户回滚 DAT 文件时, 出现下列错误: "无法保存刚刚回滚的 DAT 版本" 这意味着 VirusScan Enterprise 无法创建正确的注册表键,以识别 回滚操作。因此,执行更新可能会重新应用回滚的 DAT。在回滚的 DAT 版 本已损坏(这通常是执行 DAT 回滚的原因)的情况下,这会产生问题。 正常情况下,VirusScan Enterprise 不更新经过回滚的 DAT 版本。 注: 只有在除管理员之外的其他人员执行 DAT 回滚时才出现此问题。在 管理员执行回滚时,不能通过更新应用回滚的 DAT 版本。 解决方案: 无法重新应用回滚的 DAT。 4. 问题: 通过 ePolicy Orchestrator 部署 VirusScan Enterprise 时, 或采用静默安装时,VShield 图标不出现在系统任务栏中。 解决方案: 现在,通过 ePolicy Orchestrator 部署 VirusScan Enterprise 时,或静默安装时,VShield 图标会显示在系统任务栏中。 5. 问题: 将 VirusScan Enterprise 安装至采用 Intel 64 位处理器的系统 时,不能使用 REGSVR32.EXE 正确注册 VSUPDATE.DLL 文件。结果, 在安装完成后执行更新操作时,会出现错误,并会显示以下错误信息: "加载 COM 组件时出错。" 要正确注册.DLL,请在命令提示符下输入以下命令: "<驱动器>:\Winnt\syswow64\regsvr32.exe vsupdate.dll" 注: 如果您将 VirusScan Enterprise 安装到默认位置,则安装路径 为: <驱动器>:\Program Files\Network Associates\VirusScan\ 解决方案: 此问题在 VirusScan Enterprise 8.0 中已经得到解决。 ______________________________________________________________________ 已知问题 安装、升级和卸载 1. 在安装结束时,需要重新启动系统(具有可选性),才能加载 TDI 网络驱 动程序。在重新启动计算机之前,"端口阻挡"、"病毒感染跟踪"和"病 毒感染跟踪阻挡"功能均处于禁用状态。 2. Internet Explorer 要求。《VirusScan Enterprise 8.0 安装指 南》中将 Internet Explorer 要求错误列为 5.0 版或更高版本。 Internet Explorer 要求是 Internet Explorer 4.0 版 Service Pack 2 或更高版本。 3. 如果您准备在采用 Windows NT4 操作系统的计算机上安装 VirusScan Enterprise 8.0,并使用 AutoUpdate 功能,则必须首先在该计算机 上安装 Internet Explorer 4.0 Service Pack 2 或更高版本。 如果在您开始在采用 Windows NT4 操作系统的计算机上安装 VirusScan Enterprise 8.0 之前没有安装 Internet Explorer 4.0 Service Pack 2 或更高版本,系统会生成一个错误编号 1920"服务器启动失败" 的错误,要求您选择"放弃"、"重试"或"继续"安装。如果"继续" 安装,则不会安装 AutoUpdate 组件。如果您决定以后安装 AutoUpdate 功能,则必须首先安装 Internet Explorer 4.0 Service Pack 2 或 更高版本,然后,完全删除 VirusScan Enterprise 8.0 并重新安装。 4. 如果您使用未压缩的安装程序"SETUPVSE.EXE"在 Windows NT4 终端服务 器上安装 VirusScan Enterprise,则必须在执行"SETUPVSE.EXE"之前, 先将终端服务器切换到"安装模式"。有关详细信息,请参阅知识库中的文 章 KB37558。 5. 要使用 MSIEXEC.EXE 安装 VirusScan Enterprise 产品,请完成以 下步骤: a. 在命令提示符下输入以下命令,解压缩 .MSI 和其他文件: SETUP.EXE -nos_ne [-nos_o""] 注: -nos_ne 命令会从 SETUP.EXE 解压缩安装文件,但是不会 执行 SETUP.EXE删除安装文件。 -nos_o"" 命令会指定用于解压缩安装文件的 目标文件夹。 如果不指定输出路径,这些文件会解压缩到用户配置文件的" Temp"文件夹内。 b. 请确保删除任何其他厂商的产品,包括 McAfee VirusScan 和 VirusScan Enterprise 早期版本。 c. 在命令提示符下输入以下命令,运行 MSIEXEC.EXE: "msiexec.exe /i vse800.msi" 6. 安装"缓冲区溢出保护"功能时,会有以下限制: - 如果在已经安装 McAfee Entercept 代理的计算机上安装 "缓冲区溢出保护",则会在 VirusScan 控制台中禁用"缓 冲区溢出保护"功能。 McAfee Entercept 产品覆盖范围更大,因此 McAfee Entercept 产品优先于 VirusScan Enterprise 中的"缓冲区溢出保护"功 能。 - 在 64 位平台上无法安装"缓冲区溢出保护"。 - 缓冲区溢出保护与 Windows XP 快速用户切换配合使用时,仅 保护会话。 - 缓冲区溢出保护并不保护 Windows 终端服务器或 Citrix MetaFrame 的终端会话。 它仅保护本地登录。 7. 在 64 位平台上无法安装 ScriptScan。 8. 在 64 位平台上无法安装右键单击扫描功能。 9. 本版本支持使用管理安装点 (AIP) 进行部署。但是,必须从 AIP 中 运行 SETUP.EXE,才能执行升级或卸载其他防病毒软件。 要创建 AIP,请在命令提示符下输入"setup.exe /a"。此时会出现一 个向导,指导您创建 AIP。创建 AIP 后,压缩 (.ZIP) 文件中的所有 必要文件均同时复制到 AIP。这些文件包括: - CMU300.NAP - CONTACT.TXT - EXAMPLE.SMS - EXTRA.DAT - INSTALL.PKG - INSTMSIW.EXE - PKGCATALOG.Z - PACKING.LST - README.TXT - SETUP.INI - SETUPVSE.EXE - SIGNLIC.TXT - UNINST.DLL - UNINST.INI - VSE800.NAP - VSE800DET.MCS 由于这些文件会自动复制到 AIP,因此,管理员不需要手动复制这些文件。 注: 如果通过 Active Directory 组策略部署 VirusScan Enterprise(这样会使用 MSIEXEC.EXE 进行安装),则必须首 先删除现有的所有防病毒产品,才能安装 VirusScan Enterprise。 10. 静默完全安装 Computer Associates eTrust Antivirus 程序时, 该操作不完全静默进行。Computer Associates eTrust Antivirus 会显示一个包含"确定"按钮消息框,提示需要重新启动。单击"确定" 后,完全安装会继续正常进行。此问题是 Computer Associates 的 一个已知问题,您可以访问 Computer Associates 的网站,编号为 QO19636 的文章即介绍相关的内容。Computer Associates 网站提 供修补此问题的可下载文件。虽然此问题针对 Computer Associates eTrust Antivirus 6.0 版,但是,该补丁程序对 7.0 版也适用。 与其他产品的兼容性 Alert Manager 1. VirusScan Enterprise 8.0 只能向 Alert Manager 4.7.x 发送 警报。无法向早期版本的 Alert Manager 发送警报。 此外,在已经安装 Alert Manager4.7.x 以前版本的计算机上,无法安 装 VirusScan Enterprise 8.0。如果您在已经安装 Alert Manager 4.5 或 4.6 的系统中安装 VirusScan Enterprise 8.0,应该同时 安装 Alert Manager 4.7.x,该版本会自动替换早期版本。 但是,请注意,Alert Manager 4.7.x 可以接收早期版本的 NetShield 和 VirusScan 发送的警报。您可以配置这些软件程序的早 期版本将警报发送到 Alert Manager 4.7.x。 2. 在 Windows 2003 (.NET) Server 上安装 Alert Manager 时,警 报消息不会自动在 VirusScan Enterprise 8.0 中显示。 您必须手 动启动信息服务: a. 从"开始"菜单中,依次选择 "设置"|"控制面板"|"管理工具"|"服务"|"Messenger" b. 打开"Messenger 的属性"对话框。 c. 在常规选项卡的"启动类型"下,选择"自动"。 d. 在"常规"选项卡的"服务状态"下,单击"启动"。 e. 单击"确定"应用这些更改,并关闭"Messenger 的属性"对话框。 Common Management Agent 1. 在 ePolicy Orchestrator 3.0.x 中安装 VirusScan Enterprise 8.0 不会将 Common Management Agent 自动从早期版本自动升级到 3.5 版。如果您使用 ePolicy Orchestrator 3.0.x 和 VirusScan Enterprise 7.x,则在将 VirusScan Enterprise 8.0 安装软件包 添加至 ePolicy Orchestrator 资料库时,Common Management Agent 不会升级至 3.5 版。 要将 Common Management Agent 从早期版本升级到 3.5 版,必须安 装 Common Management Agent 3.5 版,然后,将其推送到客户端或 执行更新任务。 注: 使用 ePolicy Orchestrator 管理 VirusScan Enterprise 8.0 时,不需要安装 Common Management Agent 3.5。Common Management Agent 3.5 版与其早期版本仅有的不同之处在于: - Common Management Agent 3.5 版能够进行选择性更新,而 早期版本只能进行整体更新。选择性更新允许您单独更-.DAT、 扫描引擎和补丁程序等。 - Common Management Agent 3.5 版不过滤客户端的事件。 2. 如果已经安装 Common Management Agent 3.5 版,则安装 ePolicy Orchestrator 3.0.x 会失败。 如果您尝试在已经安装 VirusScan 8.0 的同一台计算机上安装 ePolicy Orchestrator 3.0.x,则 ePolicy Orchestrator 安装会因为 Common Management Agent 的 升级问题而失败。因为 VirusScan Enterprise 8.0 安装 Common Management Agent 3.5 版,而 ePolicy Orchestrator 3.0.x 安 装早期版本的 Common Management Agent,所以代理程序无法升级, 安装自然会失败。 要解决此问题,请执行以下步骤: a. 删除 VirusScan Enterprise 8.0。 a. 安装 ePolicy Orchestrator 3.0.x。 b. 重新安装 VirusScan Enterprise 8.0。 c. 要在 ePolicy Orchestrator 3.0.x 中将 Common Management Agent 从早期版本升级到 3.5 版,必须在 ePolicy Orchestrator 3.0.x 中安装 Common Management Agent 3.5 版,然后将其推送到客户端或执行更新任务。 ePolicy Orchestrator 1. 如果您准备使用 ePolicy Orchestrator 管理 VirusScan Enterprise 8.0,则必须使用 ePolicy Orchestrator 3.0 版 Service Pack 1 或更高版本。 2. 选择性更新。要使用新的选择性更新功能,必须使用 ePolicy Orchestrator 3.5 或更高版本管理 VirusScan Enterprise.早期 版本的 ePolicy Orchestrator 会执行更新,但是不支持仅更新 .DAT 文件、扫描引擎等的选择性更新。 3. 本版 VirusScan Enterprise 8.0 提供两个 .NAP 文件,必须将这 两个.NAP 文件添加到 ePolicy Orchestrator 资料库内。另外,如 果您运行 ePolicy Orchestrator 3.0.x,在添加两个 .NAP 文件后, 必须运行更新可执行文件,以解决与事件解析程序注册有关的问题。 注: 如果您运行 ePolicy Orchestrator 3.5 版或更高版本,则不需 要运行更新可执行文件。 这些文件随 VirusScan Enterprise 8.0 安装软件包附带,您可以从 下载这些文件的位置找到这些文件: - VSE800.NAP - VSE800REPORTS.NAP.此文件是一个扩展报告.NAP 文件。 - VSE800UPDATEFOREPO30.EXE. 此文件是一个更新可执行文件。 a. 将两个 .NAP 文件添加至 ePolicy Orchestrator 资料库。 注: 我们建议您在安装 VSE800.NAP 之前,先安装 VSE800REPORTS.NAP 文件。按照此顺序安装 .NAP 文件可 以防止在托管产品下显示的 VirusScan Enterprise 英文说 明出现问题。有关详细信息,请参阅本部分的已知问题 8。 b. 如果您使用 ePolicy Orchestrator 3.0.x,则可以在已经安装 ePolicy Orchestrator 3.x 的计算机上执行 VSE800UPDATEFOREPO30.EXE。 此可执行文件用于在 ePolicy Orchestrator 3.0.x 服务器上 注册事件解析程序 .DLL。此更新解决了 ePolicy Orchestrator 的一个问题,这一问题会导致在添加扩展报告 .NAP 时事件解析程序 错误注册。 注: 有关详细信息,请参阅《与 ePolicy Orchestrator 配合使用的 VirusScan Enterprise 8.0 配置指南》。 4. 如果将 VSEREPORTS.NAP 文件登记到 ePolicy Orchestrator 3.01 版或 3.02 版资料库,可能会导致"未指定的错误"。 这是一个控制台超时错误,可以忽略。即使控制台超时,服务器仍会完成 .NAP 文件中所有的 SQL 脚本的执行。 5. 如果您将 Microsoft SQL Server 7.0 版与 ePolicy Orchestrator 3.01 或更高版本配合使用,则在将 VSE800.NAP 文件登记到 ePolicy Orchestrator 资料库中,按需扫描任务不会保留。 必须安装 Microsoft SQL Server 2000 版或更高版本,才能保留按需扫描任务。 6. 从 ePolicy Orchestrator 服务器通过 UNC 将资料库复制到某服务 器,且该服务器已经在"访问保护属性"中启用这些文件阻挡规则时,复制 的资料库可能会损坏: - "禁止远程修改文件 (.exe)" - "禁止远程修改文件 (.dll)" - "禁止远程创建/修改/删除系统根目录中的任何内容" - "禁止远程创建/修改/删除文件 (.exe)" 这些规则启用时,某些文件复制会被阻止,因为 ePolicy Orchestrator 服务器远程打开文件,并采用与共享传播式蠕虫同样的方 式进行写入访问和修改其内容。 如果您准备从 ePolicy Orchestrator 服务器通过 UNC 复制资料库, 请确保在目标服务器上禁用这些文件阻挡规则,然后再执行复制任务。 7. 从资料库中删除项目时,ePolicy Orchestrator 符合性基线不会重新 评估符合性。 例如,在将 VirusScan Enterprise 8.0 登记到 ePolicy Orchestrator 资料库时,它会标记为该环境的新符合性基线。所有已经 安装 VirusScan Enterprise 8.0 以前版本的计算机均标记为不符合。 不过,如果您从资料库中删除 VirusScan Enterprise 8.0,而不是重 新评估符合性,则符合性基线会保持在 8.0 版。即使将 VirusScan Enterprise 7.1 重新登记到资料库,符合性基线只会增量提高。 8. 取决于安装两个 VirusScan Enterprise 8.0 .NAP 文件的顺序, 在 ePolicy Orchestrator"Repository "(资料库)中"Managed Products"(托管产品)|"Windows"|"VirusScan Enterprise"|"8.0.0" 下的 VirusScan Enterprise 8.0 的英文说明可能不可 用。 如果在安装 VSE800REPORTS.NAP 之前已经将 VSE800.NAP 安装 到资料库,则英文说明不可用。 如果在安装 VSE800.NAP 之前已经安装 VSE800REPORTS.NAP, 则英文说明可用。 9. 在 ePolicy Orchestrator"Event Filtering"(事件过滤)策略 中禁用事件过滤。VirusScan Enterprise 会生成许多事件 ID,这些 ID 不会在 ePolicy Orchestrator 过滤器列表中列出。 要确保发送 所有 VirusScan Enterprise 事件,请在策略中禁用事件过滤功能: a. 登录至 ePolicy Orchestrator 控制台。 b. 在"Reporting"下,选择"ePO 数据库"并将其展开。 c. 选择服务器并登录。 d. 选择"事件"。 e. 在右侧窗格中,选择"不过滤事件"。 f. 单击"应用"保存这些设置。 GroupShield 1. 除 VirusScan Enterprise 8.0 和 Alert Manager 4.7.1 之外, 如果您准备使用 GroupShield,请确保在安装 Alert Manager 之 前安装 GroupShield。必须按照此顺序安装,才能确保警报发送正常。 ProtectionPilot 1. 如果您准备使用 Protection Pilot 管理 VirusScan Enterprise 8.0i,则必须使用 Protection Pilot 1.0 版 Patch 1 或更高版本。 2. 如果将 VSEREPORTS.NAP 文件登记到 ProtectionPilot 资料库,可 能会导致"未指定的错误"。 这是一个控制台超时错误,可以忽略。即使控制台超时,服务器仍会完成 .NAP 文件中所有的 SQL 脚本的执行。 3. 在 ProtectionPilot 上无法使用选择性更新。此功能仅在 ePolicy Orchestrator 3.5 或更高版本中提供。 第三方软件 1. Spy Sweeper。如果您使用 Spy Sweeper 扫描 VirusScan Enterprise 安装文件夹,则在它检测到 BHO.DLL 时会发生检测错误。 此文件并不是 spyware;它是随 VirusScan Enterprise 安装的 ScriptScan 的一个组件。 2. Microsoft Windows XP Service Pack 2。如果您使用 Microsoft Windows XP Service Pack 2 并准备通过 ePolicy Orchestrator 管理 VirusScan Enterprise,则 Windows XP Firewall 将禁止这种操作,除非将 FRAMEWORKSERVICE.EXE 添加到 Windows XP Firewall 的排除白名单中。有 关如何进行此操作的信息,请参阅 Microsoft 知识库中的文章 842242。 3. 以下第三方产品与 VirusScan Enterprise 8.0 的"缓冲区溢出"功能不兼 容。如果必须使用这些产品,我们建议您禁用 VirusScan Enterprise"缓 冲区溢出"功能: - Tiny Personal Firewall - CyberArmour Firewall - Zone Alarm Pro 注: VirusScan Enterprise 8.0 和 Zone Alarm Pro 安装在同一 台计算机上时,Zone Alarm Pro 会崩溃。 - BlackIce Firewall 注: 请先安装 VirusScan Enterprise 8.0,然后再安装 BlackIce Firewall,以确保它们兼容。 访问保护 1. 与已知漏洞和弱点相关的端口。使用此链接可以访问一个网站,该站点提供 最经常受利用的 TCP 端口的列表。 http://www.us-cert.gov/current/services_ports.html 注: 如果通过单击无法访问链接,请将其复制粘贴至 web 浏览器,即可 访问该站点。 2. 如果您禁用按访问扫描程序,则同时会禁用端口阻挡规则和您配置的文件、 共享资源以及文件夹规则。 3. 如果您在非英语或本地化环境中使用"访问保护"功能,则默认规则可能会 包含本地化操作系统中不存在的文件夹的参考。 添加文件类型扩展名 1. 如要您在"其他文件类型"或"指定文件类型"对话框中使用通配符指定文 件类型扩展名,则不能使用 (*) 作为通配符。在这些情况下指定文件类型 扩展名时,必须使用问号 (?) 作为通配符。 AUTOUPDATE 1. 只有在更新时登录且对该映射驱动器位置至少具有读取权限时,才能从映射 驱动器进行更新。如果没有用户登录到该系统,或者,虽然登录但是对映射 位置不具有最起码的读取权限,则更新将失败。 2. 编辑资料库列表使用 UNC 路径时,"编辑 AutoUpdate 资料库列表" 对话框不会在接受所输入的路径之前验证其事实上是否为有效的 UNC 共享 资源。 确保输入有效的 UNC 服务器、共享资源和路径名称。输入无效的 UNC 路径可能会导致从此位置进行更新时出现问题。 3. VirusScan Enterprise《产品指南》中的 EXTRA.DAT 信息。这些信息用于 对 VirusScan Enterprise《产品指南》中"更新"部分的信息进行更正。 "更新任务执行过程中的活动"下的"更新"部分中错误地叙述如下: "默认情况下,将新病毒特征
微软内部资料-SQL性能优化2
Contents Module Overview 1 Lesson 1: Memory 3 Lesson 2: I/O 73 Lesson 3: CPU 111 Module 3: Troubleshooting Server Performance Module Overview Troubleshooting server performance-based support calls requires product knowledge, good communication skills, and a proven troubleshooting methodology. In this module we will discuss Microsoft® SQL Server™ interaction with the operating system and methodology of troubleshooting server-based problems. At the end of this module, you will be able to:  Define the common terms associated the memory, I/O, and CPU subsystems.  Describe how SQL Server leverages the Microsoft Windows® operating system facilities including memory, I/O, and threading.  Define common SQL Server memory, I/O, and processor terms.  Generate a hypothesis based on performance counters captured by System Monitor.  For each hypothesis generated, identify at least two other non-System Monitor pieces of information that would help to confirm or reject your hypothesis.  Identify at least five counters for each subsystem that are key to understanding the performance of that subsystem.  Identify three common myths associated with the memory, I/O, or CPU subsystems. Lesson 1: Memory What You Will Learn After completing this lesson, you will be able to:  Define common terms used when describing memory.  Give examples of each memory concept and how it applies to SQL Server.  Describe how SQL Server user and manages its memory.  List the primary configuration options that affect memory.  Describe how configuration options affect memory usage.  Describe the effect on the I/O subsystem when memory runs low.  List at least two memory myths and why they are not true. Recommended Reading  SQL Server 7.0 Performance Tuning Technical Reference, Microsoft Press  Windows 2000 Resource Kit companion CD-ROM documentation. Chapter 15: Overview of Performance Monitoring  Inside Microsoft Windows 2000, Third Edition, David A. Solomon and Mark E. Russinovich  Windows 2000 Server Operations Guide, Storage, File Systems, and Printing; Chapters: Evaluating Memory and Cache Usage  Advanced Windows, 4th Edition, Jeffrey Richter, Microsoft Press Related Web Sites  http://ntperformance/ Memory Definitions Memory Definitions Before we look at how SQL Server uses and manages its memory, we need to ensure a full understanding of the more common memory related terms. The following definitions will help you understand how SQL Server interacts with the operating system when allocating and using memory. Virtual Address Space A set of memory addresses that are mapped to physical memory addresses by the system. In a 32-bit operation system, there is normally a linear array of 2^32 addresses representing 4,294,967,269 byte addresses. Physical Memory A series of physical locations, with unique addresses, that can be used to store instructions or data. AWE – Address Windowing Extensions A 32-bit process is normally limited to addressing 2 gigabytes (GB) of memory, or 3 GB if the system was booted using the /3G boot switch even if there is more physical memory available. By leveraging the Address Windowing Extensions API, an application can create a fixed-size window into the additional physical memory. This allows a process to access any portion of the physical memory by mapping it into the applications window. When used in combination with Intel’s Physical Addressing Extensions (PAE) on Windows 2000, an AWE enabled application can support up to 64 GB of memory Reserved Memory Pages in a processes address space are free, reserved or committed. Reserving memory address space is a way to reserve a range of virtual addresses for later use. If you attempt to access a reserved address that has not yet been committed (backed by memory or disk) you will cause an access violation. Committed Memory Committed pages are those pages that when accessed in the end translate to pages in memory. Those pages may however have to be faulted in from a page file or memory mapped file. Backing Store Backing store is the physical representation of a memory address. Page Fault (Soft/Hard) A reference to an invalid page (a page that is not in your working set) is referred to as a page fault. Assuming the page reference does not result in an access violation, a page fault can be either hard or soft. A hard page fault results in a read from disk, either a page file or memory-mapped file. A soft page fault is resolved from one of the modified, standby, free or zero page transition lists. Paging is represented by a number of counters including page faults/sec, page input/sec and page output/sec. Page faults/sec include soft and hard page faults where as the page input/output counters represent hard page faults. Unfortunately, all of these counters include file system cache activity. For more information, see also…Inside Windows 2000,Third Edition, pp. 443-451. Private Bytes Private non-shared committed address space Working Set The subset of processes virtual pages that is resident in physical memory. For more information, see also… Inside Windows 2000,Third Edition, p. 455. System Working Set Like a process, the system has a working set. Five different types of pages represent the system’s working set: system cache; paged pool; pageable code and data in the kernel; page-able code and data in device drivers; and system mapped views. The system working set is represented by the counter Memory: cache bytes. System working set paging activity can be viewed by monitoring the Memory: Cache Faults/sec counter. For more information, see also… Inside Windows 2000,Third Edition, p. 463. System Cache The Windows 2000 cache manager provides data caching for both local and network file system drivers. By caching virtual blocks, the cache manager can reduce disk I/O and provide intelligent read ahead. Represented by Memory:Cache Resident bytes. For more information, see also… Inside Windows 2000,Third Edition, pp. 654-659. Non Paged Pool Range of addresses guaranteed to be resident in physical memory. As such, non-paged pool can be accessed at any time without incurring a page fault. Because device drivers operate at DPC/dispatch level (covered in lesson 2), and page faults are not allowed at this level or above, most device drivers use non-paged pool to assure that they do not incur a page fault. Represented by Memory: Pool Nonpaged Bytes, typically between 3-30 megabytes (MB) in size. Note The pool is, in effect, a common area of memory shared by all processes. One of the most common uses of non-paged pool is the storage of object handles. For more information regarding “maximums,” see also… Inside Windows 2000,Third Edition, pp. 403-404 Paged Pool Range of address that can be paged in and out of physical memory. Typically used by drivers who need memory but do not need to access that memory from DPC/dispatch of above interrupt level. Represented by Memory: Pool Paged Bytes and Memory:Pool Paged Resident Bytes. Typically between 10-30MB + size of Registry. For more information regarding “limits,” see also… Inside Windows 2000,Third Edition, pp. 403-404. Stack Each thread has two stacks, one for kernel mode and one for user mode. A stack is an area of memory in which program procedure or function call addresses and parameters are temporarily stored. In Process To run in the same address space. In-process servers are loaded in the client’s address space because they are implemented as DLLs. The main advantage of running in-process is that the system usually does not need to perform a context switch. The disadvantage to running in-process is that DLL has access to the process address space and can potentially cause problems. Out of Process To run outside the calling processes address space. OLEDB providers can run in-process or out of process. When running out of process, they run under the context of DLLHOST.EXE. Memory Leak To reserve or commit memory and unintentionally not release it when it is no longer being used. A process can leak resources such as process memory, pool memory, user and GDI objects, handles, threads, and so on. Memory Concepts (X86 Address Space) Per Process Address Space Every process has its own private virtual address space. For 32-bit processes, that address space is 4 GB, based on a 32-bit pointer. Each process’s virtual address space is split into user and system partitions based on the underlying operating system. The diagram included at the top represents the address partitioning for the 32-bit version of Windows 2000. Typically, the process address space is evenly divided into two 2-GB regions. Each process has access to 2 GB of the 4 GB address space. The upper 2 GB of address space is reserved for the system. The user address space is where application code, global variables, per-thread stacks, and DLL code would reside. The system address space is where the kernel, executive, HAL, boot drivers, page tables, pool, and system cache reside. For specific information regarding address space layout, refer to Inside Microsoft Windows 2000 Third Edition pages 417-428 by Microsoft Press. Access Modes Each virtual memory address is tagged as to what access mode the processor must be running in. System space can only be accessed while in kernel mode, while user space is accessible in user mode. This protects system space from being tampered with by user mode code. Shared System Space Although every process has its own private memory space, kernel mode code and drivers share system space. Windows 2000 does not provide any protection to private memory being use by components running in kernel mode. As such, it is very important to ensure components running in kernel mode are thoroughly tested. 3-GB Address Space 3-GB Address Space Although 2 GB of address space may seem like a large amount of memory, application such as SQL Server could leverage more memory if it were available. The boot.ini option /3GB was created for those cases where systems actually support greater than 2 GB of physical memory and an application can make use of it This capability allows memory intensive applications running on Windows 2000 Advanced Server to use up to 50 percent more virtual memory on Intel-based computers. Application memory tuning provides more of the computer's virtual memory to applications by providing less virtual memory to the operating system. Although a system having less than 2 GB of physical memory can be booted using the /3G switch, in most cases this is ill-advised. If you restart with the 3 GB switch, also known as 4-Gig Tuning, the amount of non-paged pool is reduced to 128 MB from 256 MB. For a process to access 3 GB of address space, the executable image must have been linked with the /LARGEADDRESSAWARE flag or modified using Imagecfg.exe. It should be pointed out that SQL Server was linked using the /LAREGEADDRESSAWARE flag and can leverage 3 GB when enabled. Note Even though you can boot Windows 2000 Professional or Windows 2000 Server with the /3GB boot option, users processes are still limited to 2 GB of address space even if the IMAGE_FILE_LARGE_ADDRESS_AWARE flag is set in the image. The only thing accomplished by using the /3G option on these system is the reduction in the amount of address space available to the system (ISW2K Pg. 418). Important If you use /3GB in conjunction with AWE/PAE you are limited to 16 GB of memory. For more information, see the following Knowledge Base articles: Q171793 Information on Application Use of 4GT RAM Tuning Q126402 PagedPoolSize and NonPagedPoolSize Values in Windows NT Q247904 How to Configure Paged Pool and System PTE Memory Areas Q274598 W2K Does Not Enable Complete Memory Dumps Between 2 & 4 GB AWE Memory Layout AWE Memory Usually, the operation system is limited to 4 GB of physical memory. However, by leveraging PAE, Windows 2000 Advanced Server can support up to 8 GB of memory, and Data Center 64 GB of memory. However, as stated previously, each 32-bit process normally has access to only 2 GB of address space, or 3 GB if the system was booted with the /3-GB option. To allow processes to allocate more physical memory than can be represented in the 2GB of address space, Microsoft created the Address Windows Extensions (AWE). These extensions allow for the allocation and use of up to the amount of physical memory supported by the operating system. By leveraging the Address Windowing Extensions API, an application can create a fixed-size window into the physical memory. This allows a process to access any portion of the physical memory by mapping regions of physical memory in and out of the applications window. The allocation and use of AWE memory is accomplished by  Creating a window via VirtualAlloc using the MEM_PHYSICAL option  Allocating the physical pages through AllocateUserPhysicalPages  Mapping the RAM pages to the window using MapUserPhysicalPages Note SQL Server 7.0 supports a feature called extended memory in Windows NT® 4 Enterprise Edition by using a PSE36 driver. Currently there are no PSE drivers for Windows 2000. The preferred method of accessing extended memory is via the Physical Addressing Extensions using AWE. The AWE mapping feature is much more efficient than the older process of coping buffers from extended memory into the process address space. Unfortunately, SQL Server 7.0 cannot leverage PAE/AWE. Because there are currently no PSE36 drivers for Windows 2000 this means SQL Server 7.0 cannot support more than 3GB of memory on Windows 2000. Refer to KB article Q278466. AWE restrictions  The process must have Lock Pages In Memory user rights to use AWE Important It is important that you use Enterprise Manager or DMO to change the service account. Enterprise Manager and DMO will grant all of the privileges and Registry and file permissions needed for SQL Server. The Service Control Panel does NOT grant all the rights or permissions needed to run SQL Server.  Pages are not shareable or page-able  Page protection is limited to read/write  The same physical page cannot be mapped into two separate AWE regions, even within the same process.  The use of AWE/PAE in conjunction with /3GB will limit the maximum amount of supported memory to between 12-16 GB of memory.  Task manager does not show the correct amount of memory allocated to AWE-enabled applications. You must use Memory Manager: Total Server Memory. It should, however, be noted that this only shows memory in use by the buffer pool.  Machines that have PAE enabled will not dump user mode memory. If an event occurs in User Mode Memory that causes a blue screen and root cause determination is absolutely necessary, the machine must be booted with the /NOPAE switch, and with /MAXMEM set to a number appropriate for transferring dump files.  With AWE enabled, SQL Server will, by default, allocate almost all memory during startup, leaving 256 MB or less free. This memory is locked and cannot be paged out. Consuming all available memory may prevent other applications or SQL Server instances from starting. Note PAE is not required to leverage AWE. However, if you have more than 4GB of physical memory you will not be able to access it unless you enable PAE. Caution It is highly recommended that you use the “max server memory” option in combination with “awe enabled” to ensure some memory headroom exists for other applications or instances of SQL Server, because AWE memory cannot be shared or paged. For more information, see the following Knowledge Base articles: Q268363 Intel Physical Addressing Extensions (PAE) in Windows 2000 Q241046 Cannot Create a dump File on Computers with over 4 GB RAM Q255600 Windows 2000 utilities do not display physical memory above 4GB Q274750 How to configure SQL Server memory more than 2 GB (Idea) Q266251 Memory dump stalls when PAE option is enabled (Idea) Tip The KB will return more hits if you query on PAE rather than AWE. Virtual Address Space Mapping Virtual Address Space Mapping By default Windows 2000 (on an X86 platform) uses a two-level (three-level when PAE is enabled) page table structure to translate virtual addresses to physical addresses. Each 32-bit address has three components, as shown below. When a process accesses a virtual address the system must first locate the Page Directory for the current process via register CR3 (X86). The first 10 bits of the virtual address act as an index into the Page Directory. The Page Directory Entry then points to the Page Frame Number (PFN) of the appropriate Page Table. The next 10 bits of the virtual address act as an index into the Page Table to locate the appropriate page. If the page is valid, the PTE contains the PFN of the actual page in memory. If the page is not valid, the memory management fault handler locates the page and attempts to make it valid. The final 12 bits act as a byte offset into the page. Note This multi-step process is expensive. This is why systems have translation look aside buffers (TLB) to speed up the process. One of the reasons context switching is so expensive is the translation buffers must be dumped. Thus, the first few lookups are very expensive. Refer to ISW2K pages 439-440. Core System Memory Related Counters Core System Memory Related Counters When evaluating memory performance you are looking at a wide variety of counters. The counters listed here are a few of the core counters that give you quick overall view of the state of memory. The two key counters are Available Bytes and Committed Bytes. If Committed Bytes exceeds the amount of physical memory in the system, you can be assured that there is some level of hard page fault activity happening. The goal of a well-tuned system is to have as little hard paging as possible. If Available Bytes is below 5 MB, you should investigate why. If Available Bytes is below 4 MB, the Working Set Manager will start to aggressively trim the working sets of process including the system cache.  Committed Bytes Total memory, including physical and page file currently committed  Commit Limit • Physical memory + page file size • Represents the total amount of memory that can be committed without expanding the page file. (Assuming page file is allowed to grow)  Available Bytes Total physical memory currently available Note Available Bytes is a key indicator of the amount of memory pressure. Windows 2000 will attempt to keep this above approximately 4 MB by aggressively trimming the working sets including system cache. If this value is constantly between 3-4 MB, it is cause for investigation. One counter you might expect would be for total physical memory. Unfortunately, there is no specific counter for total physical memory. There are however many other ways to determine total physical memory. One of the most common is by viewing the Performance tab of Task Manager. Page File Usage The only counters that show current page file space usage are Page File:% Usage and Page File:% Peak Usage. These two counters will give you an indication of the amount of space currently used in the page file. Memory Performance Memory Counters There are a number of counters that you need to investigate when evaluating memory performance. As stated previously, no single counter provides the entire picture. You will need to consider many different counters to begin to understand the true state of memory. Note The counters listed are a subset of the counters you should capture. *Available Bytes In general, it is desirable to see Available Bytes above 5 MB. SQL Servers goal on Intel platforms, running Windows NT, is to assure there is approximately 5+ MB of free memory. After Available Bytes reaches 4 MB, the Working Set Manager will start to aggressively trim the working sets of process and, finally, the system cache. This is not to say that working set trimming does not happen before 4 MB, but it does become more pronounced as the number of available bytes decreases below 4 MB. Page Faults/sec Page Faults/sec represents the total number of hard and soft page faults. This value includes the System Working Set as well. Keep this in mind when evaluating the amount of paging activity in the system. Because this counter includes paging associated with the System Cache, a server acting as a file server may have a much higher value than a dedicated SQL Server may have. The System Working Set is covered in depth on the next slide. Because Page Faults/sec includes soft faults, this counter is not as useful as Pages/sec, which represents hard page faults. Because of the associated I/O, hard page faults tend to be much more expensive. *Pages/sec Pages/sec represent the number of pages written/read from disk because of hard page faults. It is the sum of Memory: Pages Input/sec and Memory: Pages Output/sec. Because it is counted in numbers of pages, it can be compared to other counts of pages, such as Memory: Page Faults/sec, without conversion. On a well-tuned system, this value should be consistently low. In and of itself, a high value for this counter does not necessarily indicate a problem. You will need to isolate the paging activity to determine if it is associated with in-paging, out-paging, memory mapped file activity or system cache. Any one of these activities will contribute to this counter. Note Paging in and of itself is not necessarily a bad thing. Paging is only “bad” when a critical process must wait for it’s pages to be in-paged, or when the amount of read/write paging is causing excessive kernel time or disk I/O, thus interfering with normal user mode processing. Tip (Memory: Pages/sec) / (PhysicalDisk: Disk Bytes/sec * 4096) yields the approximate percentage of paging to total disk I/O. Note, this is only relevant on X86 platforms with a 4 KB page size. Page Reads/sec (Hard Page Fault) Page Reads/sec is the number of times the disk was accessed to resolve hard page faults. It includes reads to satisfy faults in the file system cache (usually requested by applications) and in non-cached memory mapped files. This counter counts numbers of read operations, without regard to the numbers of pages retrieved by each operation. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. Page Writes/sec (Hard Page Fault) Page Writes/sec is the number of times pages were written to disk to free up space in physical memory. Pages are written to disk only if they are changed while in physical memory, so they are likely to hold data, not code. This counter counts write operations, without regard to the number of pages written in each operation. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. *Pages Input/sec (Hard Page Fault) Pages Input/sec is the number of pages read from disk to resolve hard page faults. It includes pages retrieved to satisfy faults in the file system cache and in non-cached memory mapped files. This counter counts numbers of pages, and can be compared to other counts of pages, such as Memory:Page Faults/sec, without conversion. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. This is one of the key counters to monitor for potential performance complaints. Because a process must wait for a read page fault this counter, read page faults have a direct impact on the perceived performance of a process. *Pages Output/sec (Hard Page Fault) Pages Output/sec is the number of pages written to disk to free up space in physical memory. Pages are written back to disk only if they are changed in physical memory, so they are likely to hold data, not code. A high rate of pages output might indicate a memory shortage. Windows NT writes more pages back to disk to free up space when physical memory is in short supply. This counter counts numbers of pages, and can be compared to other counts of pages, without conversion. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. Like Pages Input/sec, this is one of the key counters to monitor. Processes will generally not notice write page faults unless the disk I/O begins to interfere with normal data operations. Demand Zero Faults/Sec (Soft Page Fault) Demand Zero Faults/sec is the number of page faults that require a zeroed page to satisfy the fault. Zeroed pages, pages emptied of previously stored data and filled with zeros, are a security feature of Windows NT. Windows NT maintains a list of zeroed pages to accelerate this process. This counter counts numbers of faults, without regard to the numbers of pages retrieved to satisfy the fault. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. Transition Faults/Sec (Soft Page Fault) Transition Faults/sec is the number of page faults resolved by recovering pages that were on the modified page list, on the standby list, or being written to disk at the time of the page fault. The pages were recovered without additional disk activity. Transition faults are counted in numbers of faults, without regard for the number of pages faulted in each operation. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. System Working Set System Working Set Like processes, the system page-able code and data are managed by a working set. For the purpose of this course, that working set is referred to as the System Working Set. This is done to differentiate the system cache portion of the working set from the entire working set. There are five different types of pages that make up the System Working Set. They are: system cache; paged pool; page-able code and data in ntoskrnl.exe; page-able code, and data in device drivers and system-mapped views. Unfortunately, some of the counters that appear to represent the system cache actually represent the entire system working set. Where noted system cache actually represents the entire system working set. Note The counters listed are a subset of the counters you should capture. *Memory: Cache Bytes (Represents Total System Working Set) Represents the total size of the System Working Set including: system cache; paged pool; pageable code and data in ntoskrnl.exe; pageable code and data in device drivers; and system-mapped views. Cache Bytes is the sum of the following counters: System Cache Resident Bytes, System Driver Resident Bytes, System Code Resident Bytes, and Pool Paged Resident Bytes. Memory: System Cache Resident Bytes (System Cache) System Cache Resident Bytes is the number of bytes from the file system cache that are resident in physical memory. Windows 2000 Cache Manager works with the memory manager to provide virtual block stream and file data caching. For more information, see also…Inside Windows 2000,Third Edition, pp. 645-650 and p. 656. Memory: Pool Paged Resident Bytes Represents the physical memory consumed by Paged Pool. This counter should NOT be monitored by itself. You must also monitor Memory: Paged Pool. A leak in the pool may not show up in Pool paged Resident Bytes. Memory: System Driver Resident Bytes Represents the physical memory consumed by driver code and data. System Driver Resident Bytes and System Driver Total Bytes do not include code that must remain in physical memory and cannot be written to disk. Memory: System Code Resident Bytes Represents the physical memory consumed by page-able system code. System Code Resident Bytes and System Code Total Bytes do not include code that must remain in physical memory and cannot be written to disk. Working Set Performance Counter You can measure the number of page faults in the System Working Set by monitoring the Memory: Cache Faults/sec counter. Contrary to the “Explain” shown in System Monitor, this counter measures the total amount of page faults/sec in the System Working Set, not only the System Cache. You cannot measure the performance of the System Cache using this counter alone. For more information, see also…Inside Windows 2000,Third Edition, p. 656. Note You will find that in general the working set manager will usually trim the working sets of normal processes prior to trimming the system working set. System Cache System Cache The Windows 2000 cache manager provides a write-back cache with lazy writing and intelligent read-ahead. Files are not written to disk immediately but differed until the cache manager calls the memory manager to flush the cache. This helps to reduce the total number of I/Os. Once per second, the lazy writer thread queues one-eighth of the dirty pages in the system cache to be written to disk. If this is not sufficient to meet the needs, the lazy writer will calculate a larger value. If the dirty page threshold is exceeded prior to lazy writer waking, the cache manager will wake the lazy writer. Important It should be pointed out that mapped files or files opened with FILE_FLAG_NO_BUFFERING, do not participate in the System Cache. For more information regarding mapped views, see also…Inside Windows 2000,Third Edition, p. 669. For those applications that would like to leverage system cache but cannot tolerate write delays, the cache manager supports write through operations via the FILE_FLAG_WRITE_THROUGH. On the other hand, an application can disable lazy writing by using the FILE_ATTRIBUTE_TEMPORARY. If this flag is enabled, the lazy writer will not write the pages to disk unless there is a shortage of memory or the file is closed. Important Microsoft SQL Server uses both FILE_FLAG_NO_BUFFERING and FILE_FLAG_WRITE_THROUGH Tip The file system cache is not represented by a static amount of memory. The system cache can and will grow. It is not unusual to see the system cache consume a large amount of memory. Like other working sets, it is trimmed under pressure but is generally the last thing to be trimmed. System Cache Performance Counters The counters listed are a subset of the counters you should capture. Cache: Data Flushes/sec Data Flushes/sec is the rate at which the file system cache has flushed its contents to disk as the result of a request to flush or to satisfy a write-through file write request. More than one page can be transferred on each flush operation. Cache: Data Flush Pages/sec Data Flush Pages/sec is the number of pages the file system cache has flushed to disk as a result of a request to flush or to satisfy a write-through file write request. Cache: Lazy Write Flushes/sec Represents the rate of lazy writes to flush the system cache per second. More than one page can be transferred per second. Cache: Lazy Write Pages/sec Lazy Write Pages/sec is the rate at which the Lazy Writer thread has written to disk. Note When looking at Memory:Cache Faults/sec, you can remove cache write activity by subtracting (Cache: Data Flush Pages/sec + Cache: Lazy Write Pages/sec). This will give you a better idea of how much other page faulting activity is associated with the other components of the System Working Set. However, you should note that there is no easy way to remove the page faults associated with file cache read activity. For more information, see the following Knowledge Base articles: Q145952 (NT4) Event ID 26 Appears If Large File Transfer Fails Q163401 (NT4) How to Disable Network Redirector File Caching Q181073 (SQL 6.5) DUMP May Cause Access Violation on Win2000 System Pool System Pool As documented earlier, there are two types of shared pool memory: non-paged pool and paged pool. Like private memory, pool memory is susceptible to a leak. Nonpaged Pool Miscellaneous kernel code and structures, and drivers that need working memory while at or above DPC/dispatch level use non-paged pool. The primary counter for non-paged pool is Memory: Pool Nonpaged Bytes. This counter will usually between 3 and 30 MB. Paged Pool Drivers that do not need to access memory above DPC/Dispatch level are one of the primary users of paged pool, however any process can use paged pool by leveraging the ExAllocatePool calls. Paged pool also contains the Registry and file and printing structures. The primary counters for monitoring paged pool is Memory: Pool Paged Bytes. This counter will usually be between 10-30MB plus the size of the Registry. To determine how much of paged pool is currently resident in physical memory, monitor Memory: Pool Paged Resident Bytes. Note The paged and non-paged pools are two of the components of the System Working Set. If a suspected leak is clearly visible in the overview and not associated with a process, then it is most likely a pool leak. If the leak is not associated with SQL Server handles, OLDEB providers, XPROCS or SP_OA calls then most likely this call should be pushed to the Windows NT group. For more information, see the following Knowledge Base articles: Q265028 (MS) Pool Tags Q258793 (MS) How to Find Memory Leaks by Using Pool Bitmap Analysis Q115280 (MS) Finding Windows NT Kernel Mode Memory Leaks Q177415 (MS) How to Use Poolmon to Troubleshoot Kernel Mode Memory Leaks Q126402 PagedPoolSize and NonPagedPoolSize Values in Windows NT Q247904 How to Configure Paged Pool and System PTE Memory Areas Tip To isolate pool leaks you will need to isolate all drivers and third-party processes. This should be done by disabling each service or driver one at a time and monitoring the effect. You can also monitor paged and non-paged pool through poolmon. If pool tagging has been enabled via GFLAGS, you may be able to associate the leak to a particular tag. If you suspect a particular tag, you should involve the platform support group. Process Memory Counters Process _Total Limitations Although the rollup of _Total for Process: Private Bytes, Virtual Bytes, Handles and Threads, represent the key resources being used across all processes, they can be misleading when evaluating a memory leak. This is because a leak in one process may be masked by a decrease in another process. Note The counters listed are a subset of the counters you should capture. Tip When analyzing memory leaks, it is often easier to a build either a separate chart or report showing only one or two key counters for all process. The primary counter used for leak analysis is private bytes, but processes can leak handles and threads just as easily. After a suspect process is located, build a separate chart that includes all the counters for that process. Individual Process Counters When analyzing individual process for memory leaks you should include the counters listed.  Process: % Processor Time  Process: Working Set (includes shared pages)  Process: Virtual Bytes  Process: Private Bytes  Process: Page Faults/sec  Process: Handle Count  Process: Thread Count  Process: Pool Paged Bytes  Process: Pool Nonpaged Bytes Tip WINLOGON, SVCHOST, services, or SPOOLSV are referred to as HELPER processes. They provide core functionality for many operations and as such are often extended by the addition of third-party DLLs. Tlist –s may help identify what services are running under a particular helper. Helper Processes Helper Processes Winlogon, Services, and Spoolsv and Svchost are examples of what are referred to as HELPER processes. They provide core functionality for many operations and, as such, are often extended by the addition of third-party DLLs. Running every service in its own process can waste system resources. Consequently, some services run in their own processes while others share a process with other services. One problem with sharing a process is that a bug in one service may cause the entire process to fail. The resource kit tool, Tlist when used with the –s qualifier can help you identify what services are running in what processes. WINLOGON Used to support GINAs. SPOOLSV SPOOLSV is responsible for printing. You will need to investigate all added printing functionality. Services Service is responsible for system services. Svchost.exe Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. The Effect of Memory on Other Components Memory Drives Overall Performance Processor, cache, bus speeds, I/O, all of these resources play a roll in overall perceived performance. Without minimizing the impact of these components, it is important to point out that a shortage of memory can often have a larger perceived impact on performance than a shortage of some other resource. On the other hand, an abundance of memory can often be leveraged to mask bottlenecks. For instance, in certain environments, file system cache can significantly reduce the amount of disk I/O, potentially masking a slow I/O subsystem. Effect on I/O I/O can be driven by a number of memory considerations. Page read/faults will cause a read I/O when a page is not in memory. If the modified page list becomes too long the Modified Page Writer and Mapped Page Writer will need to start flushing pages causing disk writes. However, the one event that can have the greatest impact is running low on available memory. In this case, all of the above events will become more pronounced and have a larger impact on disk activity. Effect on CPU The most effective use of a processor from a process perspective is to spend as much time possible executing user mode code. Kernel mode represents processor time associated with doing work, directly or indirectly, on behalf of a thread. This includes items such as synchronization, scheduling, I/O, memory management, and so on. Although this work is essential, it takes processor cycles and the cost, in cycles, to transition between user and kernel mode is expensive. Because all memory management and I/O functions must be done in kernel mode, it follows that the fewer the memory resources the more cycles are going to be spent managing those resources. A direct result of low memory is that the Working Set Manager, Modified Page Writer and Mapped Page Writer will have to use more cycles attempting to free memory. Analyzing Memory Look for Trends and Trend Relationships Troubleshooting performance is about analyzing trends and trend relationships. Establishing that some event happened is not enough. You must establish the effect of the event. For example, you note that paging activity is high at the same time that SQL Server becomes slow. These two individual facts may or may not be related. If the paging is not associated with SQL Servers working set, or the disks SQL is using there may be little or no cause/affect relationship. Look at Physical Memory First The first item to look at is physical memory. You need to know how much physical and page file space the system has to work with. You should then evaluate how much available memory there is. Just because the system has free memory does not mean that there is not any memory pressure. Available Bytes in combination with Pages Input/sec and Pages Output/sec can be a good indicator as to the amount of pressure. The goal in a perfect world is to have as little hard paging activity as possible with available memory greater than 5 MB. This is not to say that paging is bad. On the contrary, paging is a very effective way to manage a limited resource. Again, we are looking for trends that we can use to establish relationships. After evaluating physical memory, you should be able to answer the following questions:  How much physical memory do I have?  What is the commit limit?  Of that physical memory, how much has the operating system committed?  Is the operating system over committing physical memory?  What was the peak commit charge?  How much available physical memory is there?  What is the trend associated with committed and available? Review System Cache and Pool Contribution After you understand the individual process memory usage, you need to evaluate the System Cache and Pool usage. These can and often represent a significant portion of physical memory. Be aware that System Cache can grow significantly on a file server. This is usually normal. One thing to consider is that the file system cache tends to be the last thing trimmed when memory becomes low. If you see abrupt decreases in System Cache Resident Bytes when Available Bytes is below 5 MB you can be assured that the system is experiencing excessive memory pressure. Paged and non-paged pool size is also important to consider. An ever-increasing pool should be an indicator for further research. Non-paged pool growth is usually a driver issue, while paged pool could be driver-related or process-related. If paged pool is steadily growing, you should investigate each process to see if there is a specific process relationship. If not you will have to use tools such as poolmon to investigate further. Review Process Memory Usage After you understand the physical memory limitations and cache and pool contribution you need to determine what components or processes are creating the pressure on memory, if any. Be careful if you opt to chart the _Total Private Byte’s rollup for all processes. This value can be misleading in that it includes shared pages and can therefore exceed the actual amount of memory being used by the processes. The _Total rollup can also mask processes that are leaking memory because other processes may be freeing memory thus creating a balance between leaked and freed memory. Identify processes that expand their working set over time for further analysis. Also, review handles and threads because both use resources and potentially can be mismanaged. After evaluating the process resource usage, you should be able to answer the following:  Are any of the processes increasing their private bytes over time?  Are any processes growing their working set over time?  Are any processes increasing the number of threads or handles over time?  Are any processes increasing their use of pool over time?  Is there a direct relationship between the above named resources and total committed memory or available memory?  If there is a relationship, is this normal behavior for the process in question? For example, SQL does not commit ‘min memory’ on startup; these pages are faulted in into the working set as needed. This is not necessarily an indication of a memory leak.  If there is clearly a leak in the overview and is not identifiable in the process counters it is most likely in the pool.  If the leak in pool is not associated with SQL Server handles, then more often than not, it is not a SQL Server issue. There is however the possibility that the leak could be associated with third party XPROCS, SP_OA* calls or OLDB providers. Review Paging Activity and Its Impact on CPU and I/O As stated earlier, paging is not in and of itself a bad thing. When starting a process the system faults in the pages of an executable, as they are needed. This is preferable to loading the entire image at startup. The same can be said for memory mapped files and file system cache. All of these features leverage the ability of the system to fault in pages as needed The greatest impact of paging on a process is when the process must wait for an in-page fault or when page file activity represents a significant portion of the disk activity on the disk the application is actively using. After evaluating page fault activity, you should be able to answer the following questions:  What is the relationship between PageFaults/sec and Page Input/sec + Page Output/Sec?  What is the relationship if any between hard page faults and available memory?  Does paging activity represent a significant portion of processor or I/O resource usage? Don’t Prematurely Jump to Any Conclusions Analyzing memory pressure takes time and patience. An individual counter in and of it self means little. It is only when you start to explore relationships between cause and effect that you can begin to understand the impact of a particular counter. The key thoughts to remember are:  With the exception of a swap (when the entire process’s working set has been swapped out/in), hard page faults to resolve reads, are the most expensive in terms its effect on a processes perceived performance.  In general, page writes associated with page faults do not directly affect a process’s perceived performance, unless that process is waiting on a free page to be made available. Page file activity can become a problem if that activity competes for a significant percentage of the disk throughput in a heavy I/O orientated environment. That assumes of course that the page file resides on the same disk the application is using. Lab 3.1 System Memory Lab 3.1 Analyzing System Memory Using System Monitor Exercise 1 – Troubleshooting the Cardinal1.log File Students will evaluate an existing System Monitor log and determine if there is a problem and what the problem is. Students should be able to isolate the issue as a memory problem, locate the offending process, and determine whether or not this is a pool issue. Exercise 2 – Leakyapp Behavior Students will start leaky app and monitor memory, page file and cache counters to better understand the dynamics of these counters. Exercise 3 – Process Swap Due To Minimizing of the Cmd Window Students will start SQL from command line while viewing SQL process performance counters. Students will then minimize the window and note the effect on the working set. Overview What You Will Learn After completing this lab, you will be able to:  Use some of the basic functions within System Monitor.  Troubleshoot one or more common performance scenarios. Before You Begin Prerequisites To complete this lab, you need the following:  Windows 2000  SQL Server 2000  Lab Files Provided  LeakyApp.exe (Resource Kit) Estimated time to complete this lab: 45 minutes Exercise 1 Troubleshooting the Cardinal1.log File In this exercise, you will analyze a log file from an actual system that was having performance problems. Like an actual support engineer, you will not have much information from which to draw conclusions. The customer has sent you this log file and it is up to you to find the cause of the problem. However, unlike the real world, you have an instructor available to give you hints should you become stuck. Goal Review the Cardinal1.log file (this file is from Windows NT 4.0 Performance Monitor, which Windows 2000 can read). Chart the log file and begin to investigate the counters to determine what is causing the performance problems. Your goal should be to isolate the problem to a major area such as pool, virtual address space etc, and begin to isolate the problem to a specific process or thread. This lab requires access to the log file Cardinal1.log located in C:\LABS\M3\LAB1\EX1  To analyze the log file 1. Using the Performance MMC, select the System Monitor snap-in, and click the View Log File Data button (icon looks like a disk). 2. Under Files of type, choose PERFMON Log Files (*.log) 3. Navigate to the folder containing Cardinal1.log file and open it. 4. Begin examining counters to find what might be causing the performance problems. When examining some of these counters, you may notice that some of them go off the top of the chart. It may be necessary to adjust the scale on these. This can be done by right-clicking the rightmost pane and selecting Properties. Select the Data tab. Select the counter that you wish to modify. Under the Scale option, change the scale value, which makes the counter data visible on the chart. You may need to experiment with different scale values before finding the ideal value. Also, it may sometimes be beneficial to adjust the vertical scale for the entire chart. Selecting the Graph tab on the Properties page can do this. In the Vertical scale area, adjust the Maximum and Minimum values to best fit the data on the chart. Lab 3.1, Exercise 1: Results Exercise 2 LeakyApp Behavior In this lab, you will have an opportunity to work with a partner to monitor a live system, which is suffering from a simulated memory leak. Goal During this lab, your goal is to observe the system behavior when memory starts to become a limited resource. Specifically you will want to monitor committed memory, available memory, the system working set including the file system cache and each processes working set. At the end of the lab, you should be able to provide an answer to the listed questions.  To monitor a live system with a memory leak 1. Choose one of the two systems as a victim on which to run the leakyapp.exe program. It is recommended that you boot using the \MAXMEM=128 option so that this lab goes a little faster. You and your partner should decide which server will play the role of the problematic server and which server is to be used for monitoring purposes. 2. On the problematic server, start the leakyapp program. 3. On the monitoring system, create a counter that logs all necessary counters need to troubleshoot a memory problem. This should include physicaldisk counters if you think paging is a problem. Because it is likely that you will only need to capture less than five minutes of activity, the suggested interval for capturing is five seconds. 4. After the counters have been started, start the leaky application program 5. Click Start Leaking. The button will now change to Stop Leaking, which indicates that the system is now leaking memory. 6. After leakyapp shows the page file is 50 percent full, click Stop leaking. Note that the process has not given back its memory, yet. After approximately one minute, exit. Lab 3.1, Exercise 2: Questions After analyzing the counter logs you should be able to answer the following: 1. Under which system memory counter does the leak show up clearly? Memory:Committed Bytes 2. What process counter looked very similar to the overall system counter that showed the leak? Private Bytes 3. Is the leak in Paged Pool, Non-paged pool, or elsewhere? Elsewhere 4. At what point did Windows 2000 start to aggressively trim the working sets of all user processes? <5 MB Free 5. Was the System Working Set trimmed before or after the working sets of other processes? After 6. What counter showed this? Memory:Cache Bytes 7. At what point was the File System Cache trimmed? After the first pass through all other working sets 8. What was the effect on all the processes working set when the application quit leaking? None 9. What was the effect on all the working sets when the application exited? Nothing, initially; but all grew fairly quickly based on use 10. When the server was running low on memory, which was Windows spending more time doing, paging to disk or in-paging? Paging to disk, initially; however, as other applications began to run, in-paging increased Exercise 3 Minimizing a Command Window In this exercise, you will have an opportunity to observe the behavior of Windows 2000 when a command window is minimized. Goal During this lab, your goal is to observe the behavior of Windows 2000 when a command window becomes minimized. Specifically, you will want to monitor private bytes, virtual bytes, and working set of SQL Server when the command window is minimized. At the end of the lab, you should be able to provide an answer to the listed questions.  To monitor a command window’s working set as the window is minimized 1. Using System Monitor, create a counter list that logs all necessary counters needed to troubleshoot a memory problem. Because it is likely that you will only need to capture less than five minutes of activity, the suggested capturing interval is five seconds. 2. After the counters have been started, start a Command Prompt window on the target system. 3. In the command window, start SQL Server from the command line. Example: SQL Servr.exe –c –sINSTANCE1 4. After SQL Server has successfully started, Minimize the Command Prompt window. 5. Wait approximately two minutes, and then Restore the window. 6. Wait approximately two minutes, and then stop the counter log. Lab 3.1, Exercise 3: Questions After analyzing the counter logs you should be able to answer the following questions: 1. What was the effect on SQL Servers private bytes, virtual bytes, and working set when the window was minimized? Private Bytes and Virtual Bytes remained the same, while Working Set went to 0 2. What was the effect on SQL Servers private bytes, virtual bytes, and working set when the window was restored? None; the Working Set did not grow until SQL accessed the pages and faulted them back in on an as-needed basis SQL Server Memory Overview SQL Server Memory Overview Now that you have a better understanding of how Windows 2000 manages memory resources, you can take a closer look at how SQL Server 2000 manages its memory. During the course of the lecture and labs you will have the opportunity to monitor SQL Servers use of memory under varying conditions using both System Monitor counters and SQL Server tools. SQL Server Memory Management Goals Because SQL Server has in-depth knowledge about the relationships between data and the pages they reside on, it is in a better position to judge when and what pages should be brought into memory, how many pages should be brought in at a time, and how long they should be resident. SQL Servers primary goals for management of its memory are the following:  Be able to dynamically adjust for varying amounts of available memory.  Be able to respond to outside memory pressure from other applications.  Be able to adjust memory dynamically for internal components. Items Covered  SQL Server Memory Definitions  SQL Server Memory Layout  SQL Server Memory Counters  Memory Configurations Options  Buffer Pool Performance and Counters  Set Aside Memory and Counters  General Troubleshooting Process  Memory Myths and Tips SQL Server Memory Definitions SQL Server Memory Definitions Pool A group of resources, objects, or logical components that can service a resource allocation request Cache The management of a pool or resource, the primary goal of which is to increase performance. Bpool The Bpool (Buffer Pool) is a single static class instance. The Bpool is made up of 8-KB buffers and can be used to handle data pages or external memory requests. There are three basic types or categories of committed memory in the Bpool.  Hashed Data Pages  Committed Buffers on the Free List  Buffers known by their owners (Refer to definition of Stolen) Consumer A consumer is a subsystem that uses the Bpool. A consumer can also be a provider to other consumers. There are five consumers and two advanced consumers who are responsible for the different categories of memory. The following list represents the consumers and a partial list of their categories  Connection – Responsible for PSS and ODS memory allocations  General – Resource structures, parse headers, lock manager objects  Utilities – Recovery, Log Manager  Optimizer – Query Optimization  Query Plan – Query Plan Storage Advanced Consumer Along with the five consumers, there are two advanced consumers. They are  Ccache – Procedure cache. Accepts plans from the Optimizer and Query Plan consumers. Is responsible for managing that memory and determines when to release the memory back to the Bpool.  Log Cache – Managed by the LogMgr, which uses the Utility consumer to coordinate memory requests with the Bpool. Reservation Requesting the future use of a resource. A reservation is a reasonable guarantee that the resource will be available in the future. Committed Producing the physical resource Allocation The act of providing the resource to a consumer Stolen The act of getting a buffer from the Bpool is referred to as stealing a buffer. If the buffer is stolen and hashed for a data page, it is referred to as, and counted as, a Hashed buffer, not a stolen buffer. Stolen buffers on the other hand are buffers used for things such as procedure cache and SRV_PROC structures. Target Target memory is the amount of memory SQL Server would like to maintain as committed memory. Target memory is based on the min and max server configuration values and current available memory as reported by the operating system. Actual target calculation is operating system specific. Memory to Leave (Set Aside) The virtual address space set aside to ensure there is sufficient address space for thread stacks, XPROCS, COM objects etc. Hashed Page A page in pool that represents a database page. SQL Server Memory Layout Virtual Address Space When SQL Server is started the minimum of physical ram or virtual address space supported by the OS is evaluated. There are many possible combinations of OS versions and memory configurations. For example: you could be running Microsoft Windows 2000 Advanced Server with 2 GB or possibly 4 GB of memory. To avoid page file use, the appropriate memory level is evaluated for each configuration. Important Utilities can inject a DLL into the process address space by using HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs When the USER32.dll library is mapped into the process space, so, too, are the DLLs listed in the Registry key. To determine what DLL’s are running in SQL Server address space you can use tlist.exe. You can also use a tool such as Depends from Microsoft or HandelEx from http://ww.sysinternals.com. Memory to Leave As stated earlier there are many possible configurations of physical memory and address space. It is possible for physical memory to be greater than virtual address space. To ensure that some virtual address space is always available for things such as thread stacks and external needs such as XPROCS, SQL Server reserves a small portion of virtual address space prior to determining the size of the buffer pool. This address space is referred to as Memory To Leave. Its size is based on the number of anticipated tread stacks and a default value for external needs referred to as cmbAddressSave. After reserving the buffer pool space, the Memory To Leave reservation is released. Buffer Pool Space During Startup, SQL Server must determine the maximum size of the buffer pool so that the BUF, BUFHASH and COMMIT BITMAP structures that are used to manage the Bpool can be created. It is important to understand that SQL Server does not take ‘max memory’ or existing memory pressure into consideration. The reserved address space of the buffer pool remains static for the life of SQL Server process. However, the committed space varies as necessary to provide dynamic scaling. Remember only the committed memory effects the overall memory usage on the machine. This ensures that the max memory configuration setting can be dynamically changed with minimal changes needed to the Bpool. The reserved space does not need to be adjusted and is maximized for the current machine configuration. Only the committed buffers need to be limited to maintain a specified max server memory (MB) setting. SQL Server Startup Pseudo Code The following pseudo code represents the process SQL Server goes through on startup. Warning This example does not represent a completely accurate portrayal of the steps SQL Server takes when initializing the buffer pool. Several details have been left out or glossed over. The intent of this example is to help you understand the general process, not the specific details.  Determine the size of cmbAddressSave (-g)  Determine Total Physical Memory  Determine Available Physical Memory  Determine Total Virtual Memory  Calculate MemToLeave maxworkterthreads * (stacksize=512 KB) + (cmbAddressSave = 256 MB)  Reserve MemToLeave and set PAGE_NOACCESS  Check for AWE, test to see if it makes sense to use it and log the results • Min(Available Memory, Max Server Memory) > Virtual Memory • Supports Read Scatter • SQL Server not started with -f • AWE Enabled via sp_configure • Enterprise Edition • Lock Pages In Memory user right enabled  Calculate Virtual Address Limit VA Limit = Min(Physical Memory, Virtual Memory – MemtoLeave)  Calculate the number of physical and virtual buffers that can be supported AWE Present Physical Buffers = (RAM / (PAGESIZE + Physical Overhead)) Virtual Buffers = (VA Limit / (PAGESIZE + Virtual Overhead)) AWE Not Present Physical Buffers = Virtual Buffers = VA Limit / (PAGESIZE + Physical Overhead + Virtual Overhead)  Make sure we have the minimum number of buffers Physical Buffers = Max(Physical Buffers, MIN_BUFFERS)  Allocate and commit the buffer management structures  Reserve the address space required to support the Bpool buffers  Release the MemToLeave SQL Server Startup Pseudo Code Example The following is an example based on the pseudo code represented on the previous page. This example is based on a machine with 384 MB of physical memory, not using AWE or /3GB. Note CmbAddressSave was changed between SQL Server 7.0 and SQL Server 2000. For SQL Server 7.0, cmbAddressSave was 128. Warning This example does not represent a completely accurate portrayal of the steps SQL Server takes when initializing the buffer pool. Several details have been left out or glossed over. The intent of this example is to help you understand the general process, not the specific details.  Determine the size of cmbAddressSave (No –g so 256MB)  Determine Total Physical Memory (384)  Determine Available Physical Memory (384)  Determine Total Virtual Memory (2GB)  Calculate MemToLeave maxworkterthreads * (stacksize=512 KB) + (cmbAddressSave = 256 MB) (255 * .5MB + 256MB = 384MB)  Reserve MemToLeave and set PAGE_NOACCESS  Check for AWE, test to see if it makes sense to use it and log the results (AWE Not Enabled)  Calculate Virtual Address Limit VA Limit = Min(Physical Memory, Virtual Memory – MemtoLeave) 384MB = Min(384MB, 2GB – 384MB)  Calculate the number of physical and virtual buffers that can be supported AWE Not Present 48664 (approx) = 384 MB / (8 KB + Overhead)  Make sure we have the minimum number of buffers Physical Buffers = Max(Physical Buffers, MIN_BUFFERS) 48664 = Max(48664,1024)  Allocate and commit the buffer management structures  Reserve the address space required to support the Bpool buffers  Release the MemToLeave Tip Trace Flag 1604 can be used to view memory allocations on startup. The cmbAddressSave can be adjusted using the –g XXX startup parameter. SQL Server Memory Counters SQL Server Memory Counters The two primary tools for monitoring and analyzing SQL Server memory usage are System Monitor and DBCC MEMORYSTATUS. For detailed information on DBCC MEMORYSTATUS refer to Q271624 Interpreting the Output of the DBCC MEMORYSTAUS Command. Important Represents SQL Server 2000 Counters. The counters presented are not the same as the counters for SQL Server 7.0. The SQL Server 7.0 counters are listed in the appendix. Determining Memory Usage for OS and BPOOL Memory Manager: Total Server memory (KB) - Represents all of SQL usage Buffer Manager: Total Pages - Represents total bpool usage To determine how much of Total Server Memory (KB) represents MemToLeave space; subtract Buffer Manager: Total Pages. The result can be verified against DBCC MEMORYSTATUS, specifically Dynamic Memory Manager: OS In Use. It should however be noted that this value only represents requests that went thru the bpool. Memory reserved outside of the bpool by components such as COM objects will not show up here, although they will count against SQL Server private byte count. Buffer Counts: Target (Buffer Manager: Target Pages) The size the buffer pool would like to be. If this value is larger than committed, the buffer pool is growing. Buffer Counts: Committed (Buffer Manager: Total Pages) The total number of buffers committed in the OS. This is the current size of the buffer pool. Buffer Counts: Min Free This is the number of pages that the buffer pool tries to keep on the free list. If the free list falls below this value, the buffer pool will attempt to populate it by discarding old pages from the data or procedure cache. Buffer Distribution: Free (Buffer Manager / Buffer Partition: Free Pages) This value represents the buffers currently not in use. These are available for data or may be requested by other components and mar
安全技术/病毒

9,506

社区成员

28,984

社区内容

发帖
与我相关
我的任务
社区描述
Windows专区 安全技术/病毒
社区管理员
  • 安全技术/病毒社区
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单
社区公告
暂无公告

试试用AI创作助手写篇文章吧

+ 用AI写文章