While troubleshooting something I came across this blog today – Detecting Low Virtual Memory Conditions in Windows 2008 and R2.
Basically, since Windows 2008 there’s an inbuilt low memory detection system called RADAR (Resource Exhaustion Detection and Resolution – cool acronym!) that will log such events.
You can find them in the System logs from source
Resource-Exhaustion-Detector. These logs give more details too on what’s using the most resources. Apart from that, there’s also logs under Application & Service Logs > Microsoft > Windows > Resource-Exhaustion-Detector > Operational.
An example message from the System logs looks like this:
Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: store.exe (6292) consumed 82729553920 bytes, Microsoft.Exchange.ServiceHost.exe (4224) consumed 784441344 bytes, and w3wp.exe (4828) consumed 754692096 bytes.
Clicking on the details tab and switching to XML view gives more details:
(All this and more info can be found in the link I point to – so please check it out).
I was curious on what these figures meant though. Here’s what I understand from this great blog post by Mark Russinovich.
- Physical memory – we know.
- Virtual memory – is physical memory plus the page file on disk.
- The virtual memory is effectively what the OS can commit to any process. Meaning, guarantee that it can provide. So the system commit limit about is basically the virtual memory. (Well not entirely, as the OS needs some physical memory for itself too).
- Commit charge – the amount of committed memory across all active processes. This can’t exceed the system commit limit of course.
- When a process commits a region of virtual memory, the operating system guarantees that it can maintain all the data the process stores in the memory either in physical memory or on disk. Not all memory allocated to a process is of the committed type. Mainly private memory and pagefile-backed are of the committed type. The former can be found via tools like Process Explorer. The latter needs some during around using the
handles.execommand with the
- The type of memory allocated to a process depends on the sort of request it makes?