Monitor process memory usage status over time

Let’s assume you want to know the process address space usage overtime. Task Manager is out of question because it does not provide enough information. Even Process Explorer does not work because it does not have logging capability.

One of easiest solutions is to write a batch file like this.

 

@echo off

:loop
REM ----------------------
REM Attach debugger, run !address extension command, and exit.
REM The output is appended to log.txt
REM ----------------------

call cdb -loga log.txt -pv -p [process_id] -c "^!address -summary;q" REM ---------------------- REM Sleep 4 second REM ---------------------- PING -n 5 127.0.0.1>nul REM ---------------------- REM Loop again... REM ---------------------- goto loop

Then you can process the log.txt to find the memory usage over time. Here is the sample output.

 

Opened log file 'log.txt'

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:symbols*http://msdl.microsoft.com/download/symbols Executable search path is:
WARNING: Process 1444 is not attached as a debuggee
The process can be examined but debug events will not be received
...
(5a4.f28): Wake debugger - code 80000007 (first chance)
eax=000005a4 ebx=7ffde000 ecx=7c802600 edx=003a0000 esi=00000000 edi=0012ff34
eip=7c90e4f4 esp=0012ff04 ebp=0012ff5c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:000> !address -summary;q

-------------------- Usage SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Pct(Busy) Usage
219000 ( 2148) : 00.10% 34.58% : RegionUsageIsVAD
7f9df000 ( 2090876) : 99.70% 00.00% : RegionUsageFree
1c3000 ( 1804) : 00.09% 29.04% : RegionUsageImage
100000 ( 1024) : 00.05% 16.48% : RegionUsageStack
1000 ( 4) : 00.00% 00.06% : RegionUsageTeb
130000 ( 1216) : 00.06% 19.58% : RegionUsageHeap
0 ( 0) : 00.00% 00.00% : RegionUsagePageHeap
1000 ( 4) : 00.00% 00.06% : RegionUsagePeb
1000 ( 4) : 00.00% 00.06% : RegionUsageProcessParametrs
2000 ( 8) : 00.00% 00.13% : RegionUsageEnvironmentBlock
Tot: 7fff0000 (2097088 KB) Busy: 00611000 (6212 KB)

-------------------- Type SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Usage
7f9df000 ( 2090876) : 99.70% : <free>
1c3000 ( 1804) : 00.09% : MEM_IMAGE
219000 ( 2148) : 00.10% : MEM_MAPPED
235000 ( 2260) : 00.11% : MEM_PRIVATE

-------------------- State SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Usage
2ee000 ( 3000) : 00.14% : MEM_COMMIT
7f9df000 ( 2090876) : 99.70% : MEM_FREE
323000 ( 3212) : 00.15% : MEM_RESERVE

Largest free region: Base 0041e000 - Size 7c3e2000 (2035592 KB)

quit:
Opened log file 'log.txt'

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:symbols*http://msdl.microsoft.com/download/symbols Executable search path is:
WARNING: Process 1444 is not attached as a debuggee
The process can be examined but debug events will not be received
...
(5a4.f28): Wake debugger - code 80000007 (first chance)
eax=000005a4 ebx=7ffde000 ecx=7c802600 edx=003a0000 esi=00000000 edi=0012ff34
eip=7c90e4f4 esp=0012ff04 ebp=0012ff5c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:000> !address -summary;q

-------------------- Usage SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Pct(Busy) Usage
219000 ( 2148) : 00.10% 34.58% : RegionUsageIsVAD
7f9df000 ( 2090876) : 99.70% 00.00% : RegionUsageFree
1c3000 ( 1804) : 00.09% 29.04% : RegionUsageImage
100000 ( 1024) : 00.05% 16.48% : RegionUsageStack
1000 ( 4) : 00.00% 00.06% : RegionUsageTeb
130000 ( 1216) : 00.06% 19.58% : RegionUsageHeap
0 ( 0) : 00.00% 00.00% : RegionUsagePageHeap
1000 ( 4) : 00.00% 00.06% : RegionUsagePeb
1000 ( 4) : 00.00% 00.06% : RegionUsageProcessParametrs
2000 ( 8) : 00.00% 00.13% : RegionUsageEnvironmentBlock
Tot: 7fff0000 (2097088 KB) Busy: 00611000 (6212 KB)

-------------------- Type SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Usage
7f9df000 ( 2090876) : 99.70% : <free>
1c3000 ( 1804) : 00.09% : MEM_IMAGE
219000 ( 2148) : 00.10% : MEM_MAPPED
235000 ( 2260) : 00.11% : MEM_PRIVATE

-------------------- State SUMMARY --------------------------
TotSize ( KB) Pct(Tots) Usage
2ee000 ( 3000) : 00.14% : MEM_COMMIT
7f9df000 ( 2090876) : 99.70% : MEM_FREE
323000 ( 3212) : 00.15% : MEM_RESERVE

Largest free region: Base 0041e000 - Size 7c3e2000 (2035592 KB)

quit:

Advertisements

About Moto

Engineer who likes coding
This entry was posted in Windows Memory Management. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s