InfotechCapital
2007-10-13, 20:09
There are a few related threads so I won't waste time getting to the point, though I'll digress into nuisance msgs from Symantec Antivirus for a moment. On a machine:
Compaq: Windows XP Pro SP2 / 2.44 GHz / 1 GB
TeaTimer version: 1.4.0.2
TeaTimer causes approximately 23 million pagefaults per day, nearly the same as the Machine Debug Manager (http://support.microsoft.com/kb/321410)). These two processes do in fact show identical PF Delta (http://www.microsoft.com/technet/archive/ntwrkstn/reskit/04memory.mspx?mfr=true) in task manager though they are NOT required to be running simultaneously; killing most tasks except TeaTimer exhibits the same behavior, with delta obviously less pronounced. I assume both processes scan all modules, explaining their similarity.
A quick review from pfmon (http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en) shows the code block below. It appears that the bulk of (soft) faults occur in ProbeForWrite messages, which (IIRC) ensures that the module...err, memory...being accessed isn't part of the kernel address space. The only other process that exhibits this behavior is Symantec Antivirus's rtvscan process, but it's overwhelmingly stable, i.e., no page faults unless it's actively scanning.
So, comparing slightly to Symantec Antivirus which provides its own active module protection, what is it that TeaTimer is doing that creates 257 page faults per second and consumes 6% of my CPU? Tangentially, could TeaTimer be the cause for the thousands of eventlog messages I get from Symantec Antivirus?, e.g.:
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Threat: {...}rundll32.exe
in File: {...}Symantec Shared\ccApp.exe
by: Tamper Protection scan.
Action: Blocked.
Action Description:{none}
Page Faults:
Number, Type, Program Counter's Module (PC), Symbol for PC, Decimal value of PC, Module of the Virtual Address Accessed (VA), Symbol for VA, value of VA
0 SOFT (null) NtWriteFile+0x162 2153218615 wcstombs+0x0000AD63 2090317472
1 SOFT (null) NtWriteFile+0x162 2153218615 5ada0000 1524236288
2 SOFT (null) PsGetProcessJob+0xb9 2152667273 01122000 17965056
3 SOFT (null) PsGetProcessJob+0xb9 2152667273 Ordinal325+0x00003000 1995845632
4 SOFT (null) PsGetProcessJob+0xb9 2152667273 77925000 2006077440
5 SOFT DbgUiRemoteBreakin 2090141563 DbgUiStopDebugging+0x00000021 2090141562
6 SOFT RtlExitUserThread 2090212323 RtlSetCurrentEnvironment+0x000000DD 2090212322
7 HARD strchr+0xdb 2089872860 0168ef04 23654148
8 SOFT strchr+0xdb 2089872860 0168ef04 23654148
9 SOFT 00401cfa 4201722 01fbfffc 33292284
10 SOFT 004022b7 4203191 01fbc05c 33275996
11 SOFT (null) ProbeForWrite+0x239 2153142137 01680000 23592960
12 SOFT (null) ProbeForWrite+0x239 2153142137 01681000 23597056
...
43 SOFT (null) ProbeForWrite+0x239 2153142137 01820000 25296896
44 SOFT (null) ProbeForWrite+0x239 2153142137 01821000 25300992
45 SOFT Module32Next+0x3fc 2089174961 01680004 23592964
...
54 SOFT Module32Next+0x5ef 2089175460 01688054 23625812
55 SOFT Process32FirstW+0x59 2089172357 01680004 23592964
56 SOFT Process32NextW+0x4f 2089172742 01680024 23592996
...
184 SOFT Process32NextW+0x6d 2089172772 01688b30 23628592
185 SOFT Process32NextW+0x4f 2089172742 01680024 23592996
186 SOFT 0040298d 4204941 0168003c 23593020
187 SOFT 004a7d38 4881720 01681000 23597056
188 SOFT 004a7d38 4881720 01682000 23601152
189 SOFT 004a7d38 4881720 01683000 23605248
190 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
191 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
192 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
199 SOFT GetFileVersionInfoW+0x9a 2009077529 01683000 23605248
...repeats of 190-192
207 SOFT 01502f71 22032241 01680000 23592960
208 SOFT 015698e4 22452452 01681000 23597056
209 SOFT 015698e4 22452452 01682000 23601152
210 SOFT 015698e4 22452452 01683000 23605248
211 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
212 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
213 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
220 SOFT 01502f7b 22032251 01683018 23605272
221 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
222 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
223 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
227 SOFT 01502f7b 22032251 01683018 23605272
...
Compaq: Windows XP Pro SP2 / 2.44 GHz / 1 GB
TeaTimer version: 1.4.0.2
TeaTimer causes approximately 23 million pagefaults per day, nearly the same as the Machine Debug Manager (http://support.microsoft.com/kb/321410)). These two processes do in fact show identical PF Delta (http://www.microsoft.com/technet/archive/ntwrkstn/reskit/04memory.mspx?mfr=true) in task manager though they are NOT required to be running simultaneously; killing most tasks except TeaTimer exhibits the same behavior, with delta obviously less pronounced. I assume both processes scan all modules, explaining their similarity.
A quick review from pfmon (http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en) shows the code block below. It appears that the bulk of (soft) faults occur in ProbeForWrite messages, which (IIRC) ensures that the module...err, memory...being accessed isn't part of the kernel address space. The only other process that exhibits this behavior is Symantec Antivirus's rtvscan process, but it's overwhelmingly stable, i.e., no page faults unless it's actively scanning.
So, comparing slightly to Symantec Antivirus which provides its own active module protection, what is it that TeaTimer is doing that creates 257 page faults per second and consumes 6% of my CPU? Tangentially, could TeaTimer be the cause for the thousands of eventlog messages I get from Symantec Antivirus?, e.g.:
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Threat: {...}rundll32.exe
in File: {...}Symantec Shared\ccApp.exe
by: Tamper Protection scan.
Action: Blocked.
Action Description:{none}
Page Faults:
Number, Type, Program Counter's Module (PC), Symbol for PC, Decimal value of PC, Module of the Virtual Address Accessed (VA), Symbol for VA, value of VA
0 SOFT (null) NtWriteFile+0x162 2153218615 wcstombs+0x0000AD63 2090317472
1 SOFT (null) NtWriteFile+0x162 2153218615 5ada0000 1524236288
2 SOFT (null) PsGetProcessJob+0xb9 2152667273 01122000 17965056
3 SOFT (null) PsGetProcessJob+0xb9 2152667273 Ordinal325+0x00003000 1995845632
4 SOFT (null) PsGetProcessJob+0xb9 2152667273 77925000 2006077440
5 SOFT DbgUiRemoteBreakin 2090141563 DbgUiStopDebugging+0x00000021 2090141562
6 SOFT RtlExitUserThread 2090212323 RtlSetCurrentEnvironment+0x000000DD 2090212322
7 HARD strchr+0xdb 2089872860 0168ef04 23654148
8 SOFT strchr+0xdb 2089872860 0168ef04 23654148
9 SOFT 00401cfa 4201722 01fbfffc 33292284
10 SOFT 004022b7 4203191 01fbc05c 33275996
11 SOFT (null) ProbeForWrite+0x239 2153142137 01680000 23592960
12 SOFT (null) ProbeForWrite+0x239 2153142137 01681000 23597056
...
43 SOFT (null) ProbeForWrite+0x239 2153142137 01820000 25296896
44 SOFT (null) ProbeForWrite+0x239 2153142137 01821000 25300992
45 SOFT Module32Next+0x3fc 2089174961 01680004 23592964
...
54 SOFT Module32Next+0x5ef 2089175460 01688054 23625812
55 SOFT Process32FirstW+0x59 2089172357 01680004 23592964
56 SOFT Process32NextW+0x4f 2089172742 01680024 23592996
...
184 SOFT Process32NextW+0x6d 2089172772 01688b30 23628592
185 SOFT Process32NextW+0x4f 2089172742 01680024 23592996
186 SOFT 0040298d 4204941 0168003c 23593020
187 SOFT 004a7d38 4881720 01681000 23597056
188 SOFT 004a7d38 4881720 01682000 23601152
189 SOFT 004a7d38 4881720 01683000 23605248
190 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
191 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
192 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
199 SOFT GetFileVersionInfoW+0x9a 2009077529 01683000 23605248
...repeats of 190-192
207 SOFT 01502f71 22032241 01680000 23592960
208 SOFT 015698e4 22452452 01681000 23597056
209 SOFT 015698e4 22452452 01682000 23601152
210 SOFT 015698e4 22452452 01683000 23605248
211 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
212 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
213 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
220 SOFT 01502f7b 22032251 01683018 23605272
221 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
222 SOFT RtlAllocateHeap+0x232 2089879558 01680000 23592960
223 SOFT RtlTimeToTimeFields+0x400 2089887757 01682c0c 23604236
...
227 SOFT 01502f7b 22032251 01683018 23605272
...