RAM based EWF system runs out of memory within 30 minutes...

[Scott Kelly]

I was trying to use a RAM based EWF and I think my system may not be a
candidate for that. It will run out of memory within 10-20 minutes - even,
it seems, when none of my apps are actually running. Only TaskManager is
running.

I think what is causing the problem is that some underlying XPE (user
interface, networking, task manager, ??) piece is making writes to the
registry or something else. My XPE load is probably very large compared to
most other peoples in this group. I use WinLogin and have full networking
support, etc. I use the full Explorer interface.

What happens is during the test time, the EWF usage stays pretty steady with
nothing running. Then Task Manager shows a steep increase in memory over a
10 second period. At that point, all memory is used up and the system pops
a dialog box saying:

"Windows - Delayed Write Failed"
Windows was unable to save all data for the file c:\System Volume
Information\_restore-{some GUID}\RP2\snapshot\_REGISTRY_MACHINE_SOFTWARE.
The data has been lost...

If I OK that box, I get another one with the file:
Windows was unable to save all data for the file C:\$Mft
and then another one for:
Windows was unable to save all data for the file
C:\WINDOWS\System32\Config\SysEvent.EVT

I suspect that I will not be able to use RAM based EWF and maybe not even
DISK based EWF because something is eating away at the system files. If I
run DISK based, I would think eventually the system will use up all that
space too. If there is a leak - it will just keep leaking.

Below is a copy of the EWFMGR screen. Notice that even right after boot up
it is using ~5.8meg.

Once the memory usage ramps up - I can't run ewfmgr until I reset the
system. I am going to try and capture the last ewfmgr screen before it
blows up.

Anybody have any thoughts on this?

Thanks,
Scott


Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 72 29 73 29 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 5800960 bytes
Memory used for mapping 12288 bytes




Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 72 29 73 29 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 5800960 bytes
Memory used for mapping 12288 bytes

 

[Sean Liming \(eMVP\)]

Scott,

Have you turned off auto defragement of the harddrive?

Sean

 

[Slobodan Brcin]

Also if you have accidentally activated page file support, disable it. Or
change page file partition.


Slobodan

 

[Scott Kelly]

I put the page file on a non-protected volume. I think that is the correct
thing to do - yes?

I think the problem was that I did not disable auto-defrag.

Thanks,
Scott

 

[Scott Kelly]

I had not disabled the auto-defrag. I will rerun with auto-defrag off and
see what happens.

Thanks,
Scott

Scott,

Have you turned off auto defragement of the harddrive?

Sean

I was trying to use a RAM based EWF and I think my system may not be a
candidate for that. It will run out of memory within 10-20 minutes - even,
it seems, when none of my apps are actually running. Only TaskManager is
running.

I think what is causing the problem is that some underlying XPE (user
interface, networking, task manager, ??) piece is making writes to the
registry or something else. My XPE load is probably very large compared to
most other peoples in this group. I use WinLogin and have full networking
support, etc. I use the full Explorer interface.

What happens is during the test time, the EWF usage stays pretty steady with
nothing running. Then Task Manager shows a steep increase in memory over a
10 second period. At that point, all memory is used up and the system pops
a dialog box saying:

"Windows - Delayed Write Failed"
Windows was unable to save all data for the file c:\System Volume
Information\_restore-{some GUID}\RP2\snapshot\_REGISTRY_MACHINE_SOFTWARE.
The data has been lost...

If I OK that box, I get another one with the file:
Windows was unable to save all data for the file C:\$Mft
and then another one for:
Windows was unable to save all data for the file
C:\WINDOWS\System32\Config\SysEvent.EVT

I suspect that I will not be able to use RAM based EWF and maybe not even
DISK based EWF because something is eating away at the system files. If I
run DISK based, I would think eventually the system will use up all that
space too. If there is a leak - it will just keep leaking.

Below is a copy of the EWFMGR screen. Notice that even right after boot up
it is using ~5.8meg.

Once the memory usage ramps up - I can't run ewfmgr until I reset the
system. I am going to try and capture the last ewfmgr screen before it
blows up.

Anybody have any thoughts on this?

Thanks,
Scott


Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 72 29 73 29 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 5800960 bytes
Memory used for mapping 12288 bytes




Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 72 29 73 29 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 5800960 bytes
Memory used for mapping 12288 bytes

 

[Doug Hoeffel]

Also, beware that you are not doing a lot of event logging. If you are,
redirect the event log files to a non-EWF protected partition.

HTH... Doug

 

[Scott Kelly]

Thanks for the pointer. The problem seemed to have been the auto-defrag.

I had followed the directions to add the new component to the database - but
I forget to add it to my project.

Thanks,
Scott

 

[Scott Kelly]

The problem seemed to have been the auto-defrag.

I had followed the directions to add the new component to the database - but
I forget to add it to my project.


Just in case anybody needs the info:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/htm
l/xetbscreatingenableautolayoutregistrycomponent.asp