25

I'm thinking of including the IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP and IMAGE_FILE_NET_RUN_FROM_SWAP PE flags to my executable.

The idea is to prevent occasional exceptions seen by clients who run the executable from the network, for example when network volumes fail to reconnect after sleep. Up to now we have always advised clients to run executables from locally connected volumes.

However, I don't know enough about virtual memory, the loader etc. to know what, if any, risks there are associated with using these PE flags.

For example, if I do this will more physical memory be consumed by my executable, especially if there are multiple instances of the executable running at the same time?

I'm sorry that I can't give more examples of potential risks, but that's the nature of my question. I have a feeling that there could be downsides to doing this but simply don't know what those downsides could be.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • It ought to make a cold start slower since the entire EXE is copied to the paging file. No idea if Windows is smart enough to share pages, I kinda doubt it. Process Explorer will tell you, look at Private Bytes. – Hans Passant Aug 05 '11 at 10:02
  • @Hans Is the EXE copied to the paging file on load, or are the pages just copied there if they are paged out? And how should I interpret Private Bytes? I'm really frightfully ignorant of the workings of virtual memory. – David Heffernan Aug 05 '11 at 10:14
  • The page-in operation is the problem, not page-out. So yes, all pages have to be copied so they can be paged-in later. Private Bytes is the amount of VM that isn't sharable. – Hans Passant Aug 05 '11 at 10:22
  • @Hans And normal loading pages in on demand due to page faults? Which means that you can run an executable and potentially never very load much of it into physical memory. Is that right? When I look at Private Bytes it is the same figure no matter where the executable lives. Does that mean the system is sharing pages? – David Heffernan Aug 05 '11 at 10:32
  • 1
    That is correct. Seems so. – Hans Passant Aug 05 '11 at 10:37

1 Answers1

18

The PE loader works together vith the virtual memory manager. Simply put, your executable isn't so much loaded as demand-paged in. And, of course, demand-paged out. Since executables are locked and don't change, this works quite well. No swap is needed; RAM just contains the MRU parts.

The PE flags change this. If the conditions are satisfied, the executable isn't locked and might change/disappear. This means the VMM has to keep all its pages either in RAM or swap, even at startup. That's a lot of copying and RAM use, but as a result the loss of the network no longer causes page-in faults. And when RAM is low, pages can't be discarded but have to be saved to swap.

In particular, these flags work if and only if the conditions are satisfied. IMAGE_FILE_NET_RUN_FROM_SWAP does not affect apps that are run locally. So the only customers that pay the price in RAM/swap are those that choose to.

MSalters
  • 173,980
  • 10
  • 155
  • 350
  • 1
    Thank you for your answer. My tests seem to indicate that the executable is locked. I can't delete it when it is run off a network volume. Are there implications on physical memory usage if multiple instances are run? I would guess not—pages are still shared between different processes. If I understand you correctly the only performance implication is that if the OS decides to page out some of the executable, is that those pages are copied to swap rather than simply discarded. – David Heffernan Aug 05 '11 at 09:37
  • 4
    @DavidHeffernan The image was copied to swap at load time, not at page-out time. (That's sort of the point of the flag, after all.) They are simply discarded at page-out time, since there is already a safe copy in swap. – Raymond Chen Mar 09 '12 at 22:36
  • Thank you @Raymond. I think I understand the issues well enough now. Fundamentally my problem here is that my understanding of the virtual memory system is incomplete. I must dig out my windows internals book and brush up. – David Heffernan Mar 09 '12 at 22:38
  • 13
    @DavidHeffernan Imagine the flag was `RUN_FROM_TEMP` and it meant "When running this file, first copy it to the TEMP directory, and then run that copy instead of the original." That's what happens. Except that the swap file is used instead of the TEMP directory. – Raymond Chen Mar 10 '12 at 13:42
  • 1
    Did anyone try to update (rename old, copy new exe with same name) executable with this flags set and old executable in use? I think if old exe is in use, new users launching the executable get the old one, is this possible? – akaya Nov 23 '18 at 06:41