In recent years, worldwide use of computers has increased dramatically. Computer application programs (“applications” or “apps”) are used for a variety of purposes, including word processing, accounting, data base management, desktop publishing, communications, and the like. In addition to application programs, computing devices also have software known as an operating system that controls the operation of the computing device and the various applications and other programs that execute on the computing device. A myriad of different application programs and operating systems may be used on a computing device. Generally, operating systems provide at least two types of memory space in which to run computer programs (memory ‘space’, also known as virtual address space, is the amount of a type of memory that can be addressed at any instant). One type of memory space, known as “user mode” memory space, is for general applications and programs executed by a user. The other type of memory space, known as “kernel mode” memory space, is protected space that is generally available only to the core components of an operating system. To protect user applications from accessing and/or modifying critical operating system data, the operating system uses different processor access modes (user mode and kernel mode) when accessing different memory spaces. Programs running in kernel mode execute in a manner that grants greater access to system memory and processor instructions then those running in user mode. By providing the operating system software running in kernel mode with a higher privilege level than user application software, the operating system provides a way for software designers to ensure that misbehaving user applications do not disrupt the stability of the operating system as a whole.
In some circumstances, both operating system kernel mode programs (including some device drivers and other software that has been granted kernel mode access) and user applications that call kernel mode programs, after accessing objects in kernel mode, will fail to release the kernel mode objects when the objects are no longer needed. Such an omission results in excessive use of kernel memory space on behalf of the application (or kernel program) due to the continued existence of these abandoned kernel mode objects.
Abandoned objects in kernel mode memory (i.e., objects stored in kernel memory, but that will never be referenced again by applications) can considerably reduce the amount of time a computing device can reliably operate. Kernel mode memory space is a limited operating system resource. Some operating systems routinely operate near the limits of their kernel mode memory space while others do so occasionally. When programs (or processes) abandon large numbers of kernel objects without deallocating them (e.g. by not closing handles to kernel objects when finished with them), a considerable amount of kernel mode memory space becomes unavailable to the operating system. Sufficient loss can bring a halt to the operation of a computer operating system due to low kernel mode memory space availability and/or degrade the performance of a computer operating system by increasing the time the operating system requires to find free blocks of memory and/or contributing to the fragmentation of memory resulting in inefficient usage. In the past, degradation due to kernel object abandonment has been resolved by terminating any program that has abandoned kernel objects or restarting the computing system if the program causing the problem cannot be identified or is a kernel mode program. Clearly, it would be desirable to have a kernel object management system that does not require restarting programs and/or computing systems to alleviate kernel object abandonment. The present invention is directed to providing such a management system for kernel mode objects.
One way of managing and detecting kernel object abandonment is to monitor the resources used by processes (often associated with user mode resource identifiers, such as handles) and identify processes that are using excessive numbers of kernel objects. However this does not provide enough information to determine whether the kernel objects are actually used or not since applications vary widely in their use of kernel mode objects; also it does not provide the information regarding which kernel mode objects may have been abandoned. For example a server process might show a rapid increase in handles as a response to an increase in number of connections.
Abandonment of kernel mode objects causes the same types of performance and reliability problems as memory leaks. While the problems posed by memory leaks, including those of kernel mode memory leaks, are generally known, solutions have heretofore not addressed abandoned kernel objects (objects in kernel mode memory which appear to have been abandoned by their origins but which cannot be reliably determined to have been in fact abandoned). Therefore, a need exists for a method of managing, identifying, and resolving abandoned kernel mode objects in a way that improves the stability and performance of operating systems. Additionally, a need exists for a memory management method that also defragments the kernel memory by reorganizing kernel mode objects.
Another difficulty posed by previous systems has been the problem of identifying the programs or processes that abandon kernel objects. Accordingly, there is a further need for a method of identifying the origins of abandoned kernel objects.