How much memory of a process is paged out?

Question

Is there a Performance Counter which indicates how much of memory of a specific process is paged out? I have a server which has 40 GB of available RAM (of 128 GB physical memory) but the paged out amount of data is over 100 GB. How can I find out which of my processes are responsible for that huge page file consumption?

It would be also ok to have some xperf tracing to see when the page out activity happens. But apart from many writes to the page file I cannot see from which processes the memory is written to the page file.

Reference Set Tracing shows me only as far as I understand it how big the physical memory consumption of my process is. But it does not seem to track page out activity.

Update The OS is Windows Server 2012 R2

I am sure it is an accident, but you forgot to mention the operating system. Not that I know that answer through :) — Makketronix, Jul 04 '16 at 05:12

magicandre1981 · Accepted Answer · 2016-07-21T04:13:26.050

The ETW provider "Microsoft-Windows-Kernel-Memory" has a keyword "KERNEL_MEM_KEYWORD_WS_SWAP" ("0x80"). Here there are some events that occur when data are paged out/paged in:

     <event value="4" symbol="WorkingSetOutSwapStart" version="0" task="WorkingSetOutSwap" opcode="win:Start" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStartArgs"/>
     <event value="4" symbol="WorkingSetOutSwapStart_V1" version="1" task="WorkingSetOutSwap" opcode="win:Start" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStartArgs_V1"/>
     <event value="5" symbol="WorkingSetOutSwapStop" version="0" task="WorkingSetOutSwap" opcode="win:Stop" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStopArgs"/>
     <event value="5" symbol="WorkingSetOutSwapStop_V1" version="1" task="WorkingSetOutSwap" opcode="win:Stop" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStopArgs_V1"/>
     <event value="6" symbol="WorkingSetInSwapStart" version="0" task="WorkingSetInSwap" opcode="win:Start" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStartArgs"/>
     <event value="6" symbol="WorkingSetInSwapStart_V1" version="1" task="WorkingSetInSwap" opcode="win:Start" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetOutSwapStartArgs_V1"/>
     <event value="7" symbol="WorkingSetInSwapStop" version="0" task="WorkingSetInSwap" opcode="win:Stop" level="win:Informational" keywords="KERNEL_MEM_KEYWORD_WS_SWAP" template="WorkingSetInSwapStopArgs"/>

Here you get some data like the number of pages accessed (PagesProcessed):

<template tid="WorkingSetOutSwapStartArgs">
  <data name="ProcessId" inType="win:UInt32"/>
 </template>
 <template tid="WorkingSetOutSwapStopArgs">
  <data name="ProcessId" inType="win:UInt32"/>
  <data name="Status" inType="win:HexInt32"/>
  <data name="PagesProcessed" inType="win:UInt32"/>
 </template>
 <template tid="WorkingSetInSwapStopArgs">
  <data name="ProcessId" inType="win:UInt32"/>
  <data name="Status" inType="win:HexInt32"/>
 </template>
 <template tid="WorkingSetOutSwapStartArgs_V1">
  <data name="ProcessId" inType="win:UInt32"/>
  <data name="Flags" inType="win:HexInt32"/>
 </template>
 <template tid="WorkingSetOutSwapStopArgs_V1">
  <data name="ProcessId" inType="win:UInt32"/>
  <data name="Status" inType="win:HexInt32"/>
  <data name="PagesProcessed" inType="win:Pointer"/>
  <data name="WriteCombinePagesProcessed" inType="win:Pointer"/>
  <data name="UncachedPagesProcessed" inType="win:Pointer"/>
  <data name="CleanPagesProcessed" inType="win:Pointer"/>
 </template>

Play with it if it includes all data you need.

This provider looks nice but the swap out event is only triggered if somebody forces via an api call to swap out the process working set. Normal working set trim activities are not logged by this providers. Still it is a good hint to track at least explicit swap outs triggered by the application itself. — Alois Kraus, Jul 24 '16 at 17:30

score 0 · Answer 2 · edited May 23 '17 at 11:58

0

In Xperf you want to look for Hard Faults - note that this is a type of Page Fault, but page faults can often be handled in software without touching the drive. You can add a column in Task Manager to show page faults for each process.

You can get some information on a process by using a tool like https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx which will tell you for each block of memory in the process address space what type it is, and how much is committed. However, it's the committed memory that can be paged out, and VirtualQueryEx() doesn't tell you about that.

It's also worth noting that a large quantity of paged out memory isn't always a bad thing - it's the hard faults that are slow.

Edit: Hmm, if you want an intrusive one-off test I guess there's the hacky option of combining VirtualQueryEx() and ReadProcessMemory() to touch every committed page in a process so you can count the hard faults!

edited May 23 '17 at 11:58

Community

1
1

answered Jul 04 '16 at 23:00

Adam

882
5
10

I know hard page faults. That is for paging in memory from the page file. But I want to know what is paged out into the page file from the processes and when. Perhaps someone trims the working set explicitly and wonders later why his process has so high response times ... – Alois Kraus Jul 05 '16 at 17:15
I agree, this is crucial information. I'd like to see this in task manager, as an indication of how much memory pressure my system *was* under in the past. The best approximation I can offer is comparing working set to commit size, but this is imperfect since the discrepancy can be from pages that have not yet been touched, or have been paged out to image files, or paged out to the page file. Paged out memory will *eventually* be a bad thing. – Bruce Dawson Jul 13 '16 at 02:58

How much memory of a process is paged out?

2 Answers2