Paging from a remote share

Question

Let's say that I have an application running on Windows XP that is "launched" from a mapped network drive. When a page fault is triggered by the execution of this application and a code page needs to be read from disk, assuming it's not in the pagefile, will Windows go out to the mapped network share to read the necessary code page in from disk or will it make a copy of it locally when it's first executed? I realize there are different types of page faults but I'm specifically asking about the case where the code must be read from the file on disk. In this case, since the application's image exists on a remote share I'm assuming the page fault handler must go out to the network share to retrieve the code page. Is this correct?

I have an application that's running in this manner and periodically it seems to "hang" the system but the system becomes responsive after a short period of time, sometimes just a few seconds and in other cases 10-15 minutes. This system also has a lot of A/V and DLP products installed on it and thus several TDI filter drivers and file system filter drivers which seemingly would add to the latency in processing the page fault especially if the code must be paged in from a process image that exists on a remote share.

I've been reading through Windows Internals and it discusses page fault handling but I don't see any mention of the case when dealing with a remote mapped drive. I'm assuming it's got to go out to the network share to retrieve the necessary code page but I just want to be sure I'm right. If anyone has any other recommended reading I'd love to hear it. I've currently got a kernel debugger attached to a problematic system so I can catch it in the act but, of course, since I've attached the kernel debugger and have had it running for 2 days I've yet to see the problem occur again.

Thanks in advance for any help/advice!

Answer 1

I'm not sure the question is correct.

will Windows go out to the mapped network share to read the necessary code page in from disk or will it make a copy of it locally when it's first executed?"

All code must be in local memory to be executed. A page fault on a network mapped drive will cause network I/O to fetch the appropriate page, which will be loaded into local memory and then used.

In this case, since the application's image exists on a remote share I'm assuming the page fault handler must go out to the network share to retrieve the code page. Is this correct?"

Ye-e-e-s-s-s. The page fault handler doesn't know the drive is network mapped. It will issue a file system IRP. The network mapping driver will intercept that and convert it into a network IRP. So the page fault handler is just doing its normal thing; it doesn't know you're doing voodoo in the background.

I have an application that's running in this manner and periodically it seems to "hang" the system but the system becomes responsive after a short period of time, sometimes just a few seconds and in other cases 10-15 minutes. This system also has a lot of A/V and DLP products installed on it and thus several TDI filter drivers and file system filter drivers which seemingly would add to the latency in processing the page fault especially if the code must be paged in from a process image that exists on a remote share.

Erm, with that much kernel hacking stuff on it my first thought is that your Windows installation is simply shagged. A/V stuff is poison to Windows and you seem to have a ton of stuff jacked into the kernel - you are asking for trouble, and it seems trouble has come calling.

Simplest explanations are most likely; given the amount of badware you have here, it's most likely Windows is just shagged. You don't need a deeper technical explanation!