So why are applets so bad, anyway?
There's a simple answer to that question. As I mentioned in the first post in this series, "It's my machine dagnabbit". The simple answer is that applets consume resources that can be better used by by the customer.
At an absolute minimum, each applet process consumes a process (no duh - that was a stupid statement, Larry). But you need to realize that each process on Windows consumes a significant amount of system resources - you can see this in Vista's taskmgr.
There are three columns that are interesting: Working Set, Commit Size and Memory. Commit Size is the amount of memory reserved for the process (so can be insanely large , Working Set is the amount of physical memory that the process is currently consuming, and Memory is the amount of working set that's not being used by DLLs.
On my machine, to pick on two applets that I have running, you find:
- FlashUtil9d.exe consuming 4.5M of working set, 1.3M of commitment and 760K of Memory
- FwcMgmt.exe (the ISA firewall client) consuming 4M of working set, 1.6M of commitment and 300K of Memory
That 700K is real, physical RAM that's being actively used by the process (otherwise it would have been swapped out). With multiple applets running, it adds up FAST. On todays big machines, this isn't a big deal, but on a machine with less memory, it can be crippling.
In my last post, I categorized applets into 4 categories (updaters, tray notification handlers, helper applications and services). In addition to the common issues mentioned above, each of these has its own special set of issues associated with it.
Updaters often to run all the time, even though they're only actually doing work once a day (or once a month). That means that they consume resources all the time that they're active. Adding insult to injury, on my machine at home, I have an updater that is manifested to require elevation (which means I get the "your app requires elevation" popup whenever it tries to run).
Tray notification handlers also run all the time, and adding insult to injury, they clutter up the notification area. The more items in the notification area, the less useful it is. This is actually the primary justification for the "big 4" notification area items in Vista - people kept on finding that the 3rd party notification area icons crowded out functionality they wanted to access. In addition, notification handlers seem to love popping up toast on the desktop, which often interrupts the user. In addition, since tray handlers often run synchronously at startup, they delay system boot time.
Helper applications don't have any specific issues, from what I've seen. They just consume resources when they're running.
Services are both good and bad. Each Windows service has a start type which lets the system know what to do with the service on startup. There are 3 relevant start types for most services: AutoStart, DemandStart and Disabled. When a service is marked as AutoStart, it starts on every boot of the system, which degrades the system startup time. In addition, because services often run in highly privileged accounts, the author of the service needs to take a great deal of care to ensure that they don't introduce security holes into the system. Before Vista, high privileged services were notorious for popping up UI on the user's desktop, a practice so dangerous, it justified its own category of security threat ("shatter attacks"). In Vista, changes were made to eliminate classic shatter attacks for all subsequent versions of the OS, so fortunately this issue isn't as grave as it was in the past.
Tomorrow: So how do you mitigate the damage that applets can cause?
Comments
Anonymous
August 15, 2007
The comment has been removedAnonymous
August 15, 2007
The comment has been removedAnonymous
August 15, 2007
Rant time.... services, services, services. It seems that Microsoft can't let a Windows install go without running every possible service they think anyone could ever need. If that isn't bad enough, Microsoft can't provide informative, descriptive, text that explains what the individual services are, what they do, and what uses them so we can determine whether they can be turned off and take control of our own computers.Anonymous
August 15, 2007
Todd, one of my major missions in Vista was to block every single auto-start service that was proposed. From when I started working on it to when we shipped, there were a grand total of 2 autostart services added (I'm actually responsible for one of those). And for those, we worked hard to get the footprint of that service to be as small as possible. And there is actually a fair amount of guidance associated with the services in Vista and what they do - information from before Vista was spotty, but for Vista, I think we've done a decent job of explaining what services do and what happens when they're disabled.Anonymous
August 15, 2007
Great series. I have an ** printer at home that when I installed its drivers, it installed a WEB SERVER written in JAVA to run its "management studio" or whatever it was called. So not only did I have the bloat of a constantly-running java app and the massive java virtual machine, but I had an open port just waiting for incoming HTTP requests. Thank goodness I was behind a router, I'd hate to think how many security vulnerabilites were in that. I trust Microsoft now to patch security vulnerabilities through WU. I don't trust ** to release updates when vulnerabilities are discovered in their software. OTOH, I just bought an HP Photosmart C5180 All-In-One and just installed the bare drivers. I get all the functionality and NO CRAPLETS! Not even a helper process that a previous HP All-In-One had. Kudos to HP for getting it right this time.Anonymous
August 15, 2007
My Vista version of taskmgr doesn't have a column labeled just Memory. My best guess is that you are referring to Memory - Private Working Set? Can you elaborate on this: "Memory is the amount of working set that's not being used by DLLs" - if Vista knows this memory is not being used, does that mean it could do some sort of leak monitoring?Anonymous
August 15, 2007
Great series, Larry. It occurred to me while reading this that perhaps one way to alleviate "updater" applets, and maybe others, is to provide some scheduling APIs that lets Windows run the updater on schedule. This way, they're only running when they need to be (e.g. once a month), thus saving resources. Is that feasible?Anonymous
August 15, 2007
sean e: Yup, I'm referring to "Memory - Private Working Set". This is a rough approximation (Landy will undoubtedly find many things I'm overgeneralizing here): The "working set" of a process is composed the number of pages for that process that are currently swapped in multiplied by the page size (to get a number that humans can deal with). Every page in a process is marked as either "shared" or "private" - shared pages are pages that will be mapped in more than one process, private pages are pages that are present only in the particular process. Since the pages that are contained in every DLL that's mapped into a processes' address space are shared by all the other processes that have mapped the DLL, they're considered to be "shared". Thus the "Memory - Private Working Set" counter is the number of pages used by a process that are only used by that process and no other. The "private working set" is a very good estimation of the actual impact of the process on your system. Judah: Wait until the post on mitigations for updaters (currently 2 posts from now). There is absolutely a way to do what you suggest, and many updaters do that.Anonymous
August 15, 2007
Great series, Larry. I make it a point to go through the registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run section (and the corresponding one for HKCU) every now and then and just delete anything I don't recognize. Hazardous? Not really. If I am unsure about something, Google usually tells me what it is. This keeps the number of craplets running to a minimum, and I feel like I'm keeping some measure of control over my PC. :)Anonymous
August 15, 2007
The comment has been removedAnonymous
August 15, 2007
> FwcMgmt.exe (the ISA firewall client) consuming 4M of > working set, 1.6M of commitment and 300K of Memory That looks like a typical degree of bloatware, but that is an applet that you want, is it not? If I had a complaint about that program, it would be in the category of bloatware but surely not in the category of "so bad" an applet. > each applet process consumes a process Yeah, it's too bad that processes are still so expensive. Combining crapthreads into a single process lets a bug in one crapthread walk all over the other threads, in almost the same manner as some discontinued OSes allowed a bug in any program to walk all over the kernel. It would be better if processes were cheap enough to let each Explorer craplet run in its own process and let each service run in its own process.Anonymous
August 15, 2007
Some of the "shared" (non-MEM_PRIVATE) pages might actually be mapped only in this particular process (private DLLs, memory mapped files etc), so they should be counted as private pages when measuring memory impact. As far as I know, the only way to figure out which pages are actually shared vs. potentially shareable is to query working set information from the OS (QueryWorkingSetEx) and this is a relatively expensive operation, so task manager doesn't do this. Process Explorer shows private/shared/shareable WS counters on the performance property page.Anonymous
August 15, 2007
The comment has been removedAnonymous
August 15, 2007
The comment has been removedAnonymous
August 15, 2007
I've recently been swapping between many wireless networks that don't have DHCP installed (for various reasons). My 'solution' at the moment is a batch file that auto-detects the SSID the card is connected to and runs a bunch of netsh commands. I have a hotkey to launch the script, but sometimes I forget, and wonder why the network doesn't work. The point of this post is: One way to fix this would be to write a craptlet that detects when the network configuration changes and automatically launches the script, but that's one more crapplet. If Vista had up/down scripts like linux, then I could just hook into those, but no hooks means one more craplet.Anonymous
August 15, 2007
The comment has been removedAnonymous
August 16, 2007
"That 700K is real, physical RAM" Obviously I can't add up today, where does that 700K number come from?Anonymous
August 16, 2007
Norman: You're right, I do want the firewall client. I never said it was "so bad", it happened to be an applet on my machineat work. Phaeron: You're right, but private working set works quite nicely as a measure of the spot impact of a process. It doesn't tell you history, but it does tell you how bad it is right now.Anonymous
August 16, 2007
Paul: The 700K comes from rounding 760K down.Anonymous
August 16, 2007
One of the other worse ones I've seen are included with HP all-in-one printers. They install a number of always-run programs and a couple of them are well known for hanging the system when you try to shut down. I've gotten a real education on Services reading your posts. I monitor some of the less understood startup vectors and it amazes me how may legit vendors sneak things in. For instance, on a brand new Dell laptop I was preparing for my daughter I found that it included an AOL file called "GW SEH Intercept" located in HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks This was a clean OEM machine and AOL wasn't even in installed yet! I'm told SEH stands for Structured encryption handling. Thanks again, BillAnonymous
August 16, 2007
The comment has been removedAnonymous
August 16, 2007
The comment has been removedAnonymous
August 16, 2007
Dave: Wow, I had absolutely no idea that this had been added in Vista - It works like a charm!Anonymous
August 17, 2007
Larry:... but private working set works quite nicely as a measure of the spot impact of a process. It doesn't tell you history, but it does tell you how bad it is right now. I think this isn't exact enough. You have to add also the shared pages with a refcount of one, to make a fair process comparison. These pages are often surprisingly huge.Anonymous
August 17, 2007
edgar: that's essentially what Pavel mentioned above. You're right, but it's not easy to calculate that number in a non-intrusive manner.Anonymous
August 17, 2007
Larry: that's essentially what Pavel mentioned above. You're right, but it's not easy to calculate that number in a non-intrusive manner. Sorry Pavel, I haven't read your entry. Larry’s blogs are so long. ;)
- But it is easy and not that much much time-consuming. It is of course always a snapshot, but it's closer to the truth. Therefore it is a better system overview. We are talking about unnecessary resource overhead, not specific asynchronous test scenarios.
Anonymous
August 19, 2007
The shatter attack is the stupidest thing I have ever seen. It's too bad how much people care about backwards compatibility over security. Oh, right, crapplets. Do you think it would be possible to alter the registry to pop up a dialog saying "Crapplet.exe is trying to add itself to your autostart programs/services. Do you want to allow this?" every time some piece of filth tries to install one? Obviously it won't help OEM machines, but it still would be nice when it comes time to get a new printer ;)Anonymous
August 20, 2007
> pop up a dialog saying "Crapplet.exe is trying to add itself to > your autostart programs/services. Do you want to allow this?" > [...] would be nice when it comes time to get a new printer ;) OK, users never read dialogs, but let's imagine someone reads this one when they install their new printer. Now let's figure out the answer. Start with the dialog buttons. [Yes] [No] [I don't know. I want to answer No, but if I answer No then will I be able to print?] Click the obvious button. Here comes the next dialog that no one will ever read. "Windows needs an internet connection in order to find out where crapplet.exe came from. Please connect, elevate to administrator privileges, and install this ActiveX control." [Back] [Next] [Cancel] Then if crapplet.exe came from Microsoft, "Please visit the support page on Microsoft's web site and find out how you can pay a fee to ask your question" [Back] [Finish] [Cancel] or if it came from another company, "crapplet.exe came from company x so please visit company x's web site to find that there's no answer to your question" [Back] [Finish] [Cancel]Anonymous
August 22, 2007
In previous articles, I've pointed out: Programmer Hubris - He's just not that into you Programmer