EWF RAM, manage memory consumption

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi

I have a CF card which I protect with EWF RAM mode. During 24 hours which
the computer has been idling ewf has consumed 5,25 MB of RAM. In my case the
system will run out of memory in 57 days. The system is handling mission
critical systems and must be running 24/7 for years. Rebooting is not an
option.

By using Filemon (excellent freeware from www.sysinternals.com), I can
monitor all disk access done by the system. I filtered out disk writes. Here
is a list of list of repeating disk writes done by the system:

System:4 C:\WINDOWS\system32\config\SYSTEM.LOG
System:4 C:\WINDOWS\system32\config\AppEvent.Evt
System:4 C:\$LogFile
System:4 C:\$Directory
System:4 C:\$Mft
svchost.exe:884 C:\WINDOWS\system32\config\SYSTEM.LOG
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\OBJECTS.DATA
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\MAPPING1.MAP
svchost.exe:884 C:\WINDOWS\system32wbem\Repository\FS\MAPPING2.MAP
svchost.exe:884 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
svchost.exe:884 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
svchost.exe:884 C:\$LogFile
winlogon.exe:484 C:\Documents and Settings\Administrator\ntuser.dat.LOG
winlogon.exe:484 C:\WINDOWS\system32\config\SOFTWARE.LOG
services.exe:528 C:\WINDOWS\system32\config\AppEvent.Evt
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\MQInSeqs.lg1
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\MQTrans.lg1
mqsvc.exe:412 C:\WINDOWS\system32\msmq\storage\QMLog
mqsvc.exe:412 C:\$LogFile

$LogFile, $Directory, $Mft I assume is a result of the other disk writes.

I need some suggestions as to how I can get rid of these disk writes.
Redirecting them is also an option IF the system will continue to work when
the place where the write is redirected to no longer is available. Ex.
harddrive which fails.

I'll appreciate any suggestions.

John

PS! I will not be able to reply in a couple of days
 
By design, RAM-based EWF consumes part of the RAM equivalent to a disk
sector size for every *new* sector the OS or user writes to. There is no
way to eliminate *all* OS writes in particular writes to the NTFS
filesystem metadata files (those file names starting with the $ sign) and
especially if the user frequently interacts with the filesystem (creating,
deleting and accessing files). So it's normal for the system to
increasingly consume RAM when the OS partition is protected by RAM-based
EWF. At some point though, EWF memory consumption should stabilize and
should not increase in the same rate (or even at all) when the system was
initially deployed. Worst case scenario is when you have an app or service
that writes to every sector on the protected partition; in this case EWF
will consume a max memory amount equivalent to the size of the protected
partition. You won't usually hit the worst case scenario unless you have
such an app or service.

Here is a summary of things you can do to reduce writes to the protected
partition and consequently reducing memory consumption of EWF:

1. If you do large amounts of file operations (creation, deletion, etc), it
should be done on an unprotected partition.
2. Follow the guidelines in the XPe SP2 doc on how to improve EWF
performance:
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp
/html/xeconewfperformanceconsiderations.asp. Very useful tips there about
how to relocate many of the system writes to a location other than the
protected partition.
3. Relocate user profiles to the unprotected partition:
http://support.microsoft.com/kb/314843
4. Re-consider using EWF on the devices. If EWF is absolutely needed,
consider using disk-based EWF where in this case writes to the protected
partition are redirected to the disk drive instead of RAM.
5. Investigate the memory consumption increase as it might be caused by
other app (theirs or 3rd party) or modules in the OS.
6. Use a pagefile on the unprotected partition, which will improve the
system memory management performance.
7. Format the protected partition with FAT instead of NTFS. FAT writes less
to its metadata.
8. Use regmon to find out who's exactly writing to the registry hives.
9. Increase the system RAM.

I hope the above helps

KS

This posting is provided "AS IS" with no warranties and confers no rights.
 
If machines are never allowed to reboot, how will it be kept up-to-date
with the latest security updates? Even if it's designed to be running as
stand-alone, it's critical for these machines to be patched with the latest
security updates since some of the vulnerabilities can be exploited locally
at the console and not necessarily over the network. It's good idea to
schedule the reboot with the installation of the updates to reduce the
number of reboots. This way you ensure the systems are updated and the EWF
overlay cleared after reboot.

KS

This posting is provided "AS IS" with no warranties and confers no rights.
 
Back
Top