Results 1 to 2 of 2

Thread: TeaTimer and Page Faults (technical)

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    7

    Question TeaTimer and Page Faults (technical)

    There are a few related threads so I won't waste time getting to the point, though I'll digress into nuisance msgs from Symantec Antivirus for a moment. On a machine:

    Compaq: Windows XP Pro SP2 / 2.44 GHz / 1 GB
    TeaTimer version: 1.4.0.2

    TeaTimer causes approximately 23 million pagefaults per day, nearly the same as the Machine Debug Manager). These two processes do in fact show identical PF Delta in task manager though they are NOT required to be running simultaneously; killing most tasks except TeaTimer exhibits the same behavior, with delta obviously less pronounced. I assume both processes scan all modules, explaining their similarity.

    A quick review from pfmon shows the code block below. It appears that the bulk of (soft) faults occur in ProbeForWrite messages, which (IIRC) ensures that the module...err, memory...being accessed isn't part of the kernel address space. The only other process that exhibits this behavior is Symantec Antivirus's rtvscan process, but it's overwhelmingly stable, i.e., no page faults unless it's actively scanning.

    So, comparing slightly to Symantec Antivirus which provides its own active module protection, what is it that TeaTimer is doing that creates 257 page faults per second and consumes 6% of my CPU? Tangentially, could TeaTimer be the cause for the thousands of eventlog messages I get from Symantec Antivirus?, e.g.:

    Code:
    Event Type:	Error
    Event Source:	Symantec AntiVirus
    Event Category:	None
    Event ID:	45
    Threat: {...}rundll32.exe
    in File: {...}Symantec Shared\ccApp.exe
    by: Tamper Protection scan.
    Action: Blocked.
    Action Description:{none}
    Page Faults:

    Code:
    Number, Type, Program Counter's Module (PC), Symbol for PC, Decimal value of PC, Module of the Virtual Address Accessed (VA), Symbol for VA, value of VA
           0	SOFT	(null)	NtWriteFile+0x162	2153218615		wcstombs+0x0000AD63	2090317472
           1	SOFT	(null)	NtWriteFile+0x162	2153218615		5ada0000	1524236288
           2	SOFT	(null)	PsGetProcessJob+0xb9	2152667273		01122000	17965056
           3	SOFT	(null)	PsGetProcessJob+0xb9	2152667273		Ordinal325+0x00003000	1995845632
           4	SOFT	(null)	PsGetProcessJob+0xb9	2152667273		77925000	2006077440
           5	SOFT		DbgUiRemoteBreakin	2090141563		DbgUiStopDebugging+0x00000021	2090141562
           6	SOFT		RtlExitUserThread	2090212323		RtlSetCurrentEnvironment+0x000000DD	2090212322
           7	HARD		strchr+0xdb	2089872860		0168ef04	23654148
           8	SOFT		strchr+0xdb	2089872860		0168ef04	23654148
           9	SOFT		00401cfa	4201722		01fbfffc	33292284
          10	SOFT		004022b7	4203191		01fbc05c	33275996
          11	SOFT	(null)	ProbeForWrite+0x239	2153142137		01680000	23592960
          12	SOFT	(null)	ProbeForWrite+0x239	2153142137		01681000	23597056
                ...
          43	SOFT	(null)	ProbeForWrite+0x239	2153142137		01820000	25296896
          44	SOFT	(null)	ProbeForWrite+0x239	2153142137		01821000	25300992
          45	SOFT		Module32Next+0x3fc	2089174961		01680004	23592964
                ...
          54	SOFT		Module32Next+0x5ef	2089175460		01688054	23625812
          55	SOFT		Process32FirstW+0x59	2089172357		01680004	23592964
          56	SOFT		Process32NextW+0x4f	2089172742		01680024	23592996
                ...
         184	SOFT		Process32NextW+0x6d	2089172772		01688b30	23628592
         185	SOFT		Process32NextW+0x4f	2089172742		01680024	23592996
         186	SOFT		0040298d	4204941		0168003c	23593020
         187	SOFT		004a7d38	4881720		01681000	23597056
         188	SOFT		004a7d38	4881720		01682000	23601152
         189	SOFT		004a7d38	4881720		01683000	23605248
         190	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         191	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         192	SOFT		RtlTimeToTimeFields+0x400	2089887757		01682c0c	23604236
    	        ...
         199	SOFT		GetFileVersionInfoW+0x9a	2009077529		01683000	23605248
    	        ...repeats of 190-192
         207	SOFT		01502f71	22032241		01680000	23592960
         208	SOFT		015698e4	22452452		01681000	23597056
         209	SOFT		015698e4	22452452		01682000	23601152
         210	SOFT		015698e4	22452452		01683000	23605248
         211	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         212	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         213	SOFT		RtlTimeToTimeFields+0x400	2089887757		01682c0c	23604236
    	        ...
         220	SOFT		01502f7b	22032251		01683018	23605272
         221	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         222	SOFT		RtlAllocateHeap+0x232	2089879558		01680000	23592960
         223	SOFT		RtlTimeToTimeFields+0x400	2089887757		01682c0c	23604236
    	        ...
         227	SOFT		01502f7b	22032251		01683018	23605272
    	        ...
    Last edited by InfotechCapital; 2007-10-13 at 20:15.

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    I think I've described it somewhere else already, though I'm not sure in how much detail. It's basically the difference between EnumProcesses and CreateToolhelp32Snapshot. CreateToolhelp32Snapshot is the culprit that does cause that many page faults, so we prefer to use EnumProcesses, but on non-NT systems as well as on 64 bit systems, CreateToolhelp32Snapshot is needed for additional details (EnumProcesses doesn't deliver the full information there).

    If it was about the 1.5 TeaTimer, what your system description is missing is whether this is XP Pro SP 2 in the 32 or in the 64 bit version. In version 1.4 though, CreateToolhelp32Snapshot is always used, so there's no reduce of PFs on 32 bit at all. But what reason would there be to use the 1.4 TeaTimer?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •