Are there risks associated with IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP or IMAGE_FILE_NET_RUN_FROM_SWAP?

About

Asked 5/8, 2011 at 8:54 Answered 5/8, 2011 at 9:22

I'm thinking of including the IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP and IMAGE_FILE_NET_RUN_FROM_SWAP PE flags to my executable.

The idea is to prevent occasional exceptions seen by clients who run the executable from the network, for example when network volumes fail to reconnect after sleep. Up to now we have always advised clients to run executables from locally connected volumes.

However, I don't know enough about virtual memory, the loader etc. to know what, if any, risks there are associated with using these PE flags.

For example, if I do this will more physical memory be consumed by my executable, especially if there are multiple instances of the executable running at the same time?

I'm sorry that I can't give more examples of potential risks, but that's the nature of my question. I have a feeling that there could be downsides to doing this but simply don't know what those downsides could be.

Jene answered 5/8, 2011 at 8:54 Comment(5)

It ought to make a cold start slower since the entire EXE is copied to the paging file. No idea if Windows is smart enough to share pages, I kinda doubt it. Process Explorer will tell you, look at Private Bytes. – Cobelligerent 5/8, 2011 at 10:2

@Hans Is the EXE copied to the paging file on load, or are the pages just copied there if they are paged out? And how should I interpret Private Bytes? I'm really frightfully ignorant of the workings of virtual memory. – Jene 5/8, 2011 at 10:14

The page-in operation is the problem, not page-out. So yes, all pages have to be copied so they can be paged-in later. Private Bytes is the amount of VM that isn't sharable. – Cobelligerent 5/8, 2011 at 10:22

@Hans And normal loading pages in on demand due to page faults? Which means that you can run an executable and potentially never very load much of it into physical memory. Is that right? When I look at Private Bytes it is the same figure no matter where the executable lives. Does that mean the system is sharing pages? – Jene 5/8, 2011 at 10:32

That is correct. Seems so. – Cobelligerent 5/8, 2011 at 10:37

The PE loader works together vith the virtual memory manager. Simply put, your executable isn't so much loaded as demand-paged in. And, of course, demand-paged out. Since executables are locked and don't change, this works quite well. No swap is needed; RAM just contains the MRU parts.

The PE flags change this. If the conditions are satisfied, the executable isn't locked and might change/disappear. This means the VMM has to keep all its pages either in RAM or swap, even at startup. That's a lot of copying and RAM use, but as a result the loss of the network no longer causes page-in faults. And when RAM is low, pages can't be discarded but have to be saved to swap.

In particular, these flags work if and only if the conditions are satisfied. IMAGE_FILE_NET_RUN_FROM_SWAP does not affect apps that are run locally. So the only customers that pay the price in RAM/swap are those that choose to.

Incidence answered 5/8, 2011 at 9:22 Comment(5)

Thank you for your answer. My tests seem to indicate that the executable is locked. I can't delete it when it is run off a network volume. Are there implications on physical memory usage if multiple instances are run? I would guess not—pages are still shared between different processes. If I understand you correctly the only performance implication is that if the OS decides to page out some of the executable, is that those pages are copied to swap rather than simply discarded. – Jene 5/8, 2011 at 9:37

@DavidHeffernan The image was copied to swap at load time, not at page-out time. (That's sort of the point of the flag, after all.) They are simply discarded at page-out time, since there is already a safe copy in swap. – Lach 9/3, 2012 at 22:36

Thank you @Raymond. I think I understand the issues well enough now. Fundamentally my problem here is that my understanding of the virtual memory system is incomplete. I must dig out my windows internals book and brush up. – Jene 9/3, 2012 at 22:38

@DavidHeffernan Imagine the flag was RUN_FROM_TEMP and it meant "When running this file, first copy it to the TEMP directory, and then run that copy instead of the original." That's what happens. Except that the swap file is used instead of the TEMP directory. – Lach 10/3, 2012 at 13:42

Did anyone try to update (rename old, copy new exe with same name) executable with this flags set and old executable in use? I think if old exe is in use, new users launching the executable get the old one, is this possible? – Gasman 23/11, 2018 at 6:41

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags