Desktop Heap Overview

Desktop Heap Overview

Rate This

 

Desktop heap is probably not something that you spend a lot of time thinking about, which is a good thing.  However, from time to time you may run into an issue that is caused by desktop heap exhaustion, and then it helps to know about this resource.  Let me state up front that things have changed significantly in Vista around kernel address space, and much of what I’m talking about today does not apply to Vista.

 

Laying the groundwork: Session Space

To understand desktop heap, you first need to understand session space.  Windows 2000, Windows XP, and Windows Server 2003 have a limited, but configurable, area of memory in kernel mode known as session space.  A session represents a single user’s logon environment.  Every process belongs to a session.  On a Windows 2000 machine without Terminal Services installed, there is only a single session, and session space does not exist.  On Windows XP and Windows Server 2003, session space always exists.  The range of addresses known as session space is a virtual address range.  This address range is mapped to the pages assigned to the current session.  In this manner, all processes within a given session map session space to the same pages, but processes in another session map session space to a different set of pages. 

Session space is divided into four areas: session image space, session structure, session view space, and session paged pool.  Session image space loads a session-private copy of Win32k.sys modified data, a single global copy of win32k.sys code and unmodified data, and maps various other session drivers like video drivers, TS remote protocol driver, etc.  The session structure holds various memory management (MM) control structures including the session working set list (WSL) information for the session.  Session paged pool allows session specific paged pool allocations.  Windows XP uses regular paged pool, since the number of remote desktop connections is limited.  On the other hand, Windows Server 2003 makes allocations from session paged pool instead of regular paged pool if Terminal Services (application server mode) is installed.  Session view space contains mapped views for the session, including desktop heap. 

Session Space layout:

Session Image Space: win32k.sys, session drivers

Session Structure: MM structures and session WSL

Session View Space: session mapped views, including desktop heap

Session Paged Pool

 

Sessions, Window Stations, and Desktops

You’ve probably already guessed that desktop heap has something to do with desktops.  Let’s take a minute to discuss desktops and how they relate to sessions and window stations.  All Win32 processes require a desktop object under which to run.  A desktop has a logical display surface and contains windows, menus, and hooks.  Every desktop belongs to a window station.  A window station is an object that contains a clipboard, a set of global atoms and a group of desktop objects.  Only one window station per session is permitted to interact with the user. This window station is named "Winsta0."  Every window station belongs to a session.  Session 0 is the session where services run and typically represents the console (pre-Vista).  Any other sessions (Session 1, Session 2, etc) are typically remote desktops / terminal server sessions, or sessions attached to the console via Fast User Switching.  So to summarize, sessions contain one or more window stations, and window stations contain one or more desktops.

You can picture the relationship described above as a tree.  Below is an example of this desktop tree on a typical system:

- Session 0

|   |

|   ---- WinSta0           (interactive window station)

|   |      |

|   |      ---- Default    (desktop)

|   |      |

|   |      ---- Disconnect (desktop)

|   |      |

|   |      ---- Winlogon   (desktop)

|   |

|   ---- Service-0x0-3e7$  (non-interactive window station)

|   |      |

|   |      ---- Default    (desktop)

|   |

|   ---- Service-0x0-3e4$  (non-interactive window station)

|   |      |

|   |      ---- Default    (desktop)

|   |

|   ---- SAWinSta          (non-interactive window station)

|   |      |

|   |      ---- SADesktop  (desktop)

|   |

- Session 1

|   |

|   ---- WinSta0           (interactive window station)

|   |      |

|   |      ---- Default    (desktop)

|   |      |

|   |      ---- Disconnect (desktop)

|   |      |

|   |      ---- Winlogon   (desktop)

|   |

- Session 2

    |

    ---- WinSta0           (interactive window station)

           |

           ---- Default    (desktop)

           |

           ---- Disconnect (desktop)

           |

           ---- Winlogon   (desktop)

 

In the above tree, the full path to the SADesktop (as an example) can be represented as “Session 0\SAWinSta\SADesktop”.

 

Desktop Heap – what is it, what is it used for?

Every desktop object has a single desktop heap associated with it.  The desktop heap stores certain user interface objects, such as windows, menus, and hooks.  When an application requires a user interface object, functions within user32.dll are called to allocate those objects.  If an application does not depend on user32.dll, it does not consume desktop heap.  Let’s walk through a simple example of how an application can use desktop heap. 

1.     An application needs to create a window, so it calls CreateWindowEx in user32.dll.

2.     User32.dll makes a system call into kernel mode and ends up in win32k.sys.

3.     Win32k.sys allocates the window object from desktop heap

4.     A handle to the window (an HWND) is returned to caller

5.     The application and other processes in the same session can refer to the window object by its HWND value

 

Where things go wrong

Normally this “just works”, and neither the user nor the application developer need to worry about desktop heap usage.  However, there are two primary scenarios in which failures related to desktop heap can occur:

  1. Session view space for a given session can become fully utilized, so it is impossible for a new desktop heap to be created.
  2. An existing desktop heap allocation can become fully utilized, so it is impossible for threads that use that desktop to use more desktop heap.

 

So how do you know if you are running into these problems?  Processes failing to start with a STATUS_DLL_INIT_FAILED (0xC0000142) error in user32.dll is a common symptom.  Since user32.dll needs desktop heap to function, failure to initialize user32.dll upon process startup can be an indication of desktop heap exhaustion.  Another symptom you may observe is a failure to create new windows.  Depending on the application, any such failure may be handled in different ways.  Note that if you are experiencing problem number one above, the symptoms would usually only exist in one session.  If you are seeing problem two, then the symptoms would be limited to processes that use the particular desktop heap that is exhausted.

 

Diagnosing the problem

So how can you know for sure that desktop heap exhaustion is your problem?  This can be approached in a variety of ways, but I’m going to discuss the simplest method for now.  Dheapmon is a command line tool that will dump out the desktop heap usage for all the desktops in a given session.  See our first blog post for a list of tool download locations.  Once you have dheapmon installed, be sure to run it from the session where you think you are running out of desktop heap.  For instance, if you have problems with services failing to start, then you’ll need to run dheapmon from session 0, not a terminal server session.

Dheapmon output looks something like this:

Desktop Heap Information Monitor Tool (Version 7.0.2727.0)

Copyright (c) 2003-2004 Microsoft Corp.

-------------------------------------------------------------

  Session ID:    0 Total Desktop: (  5824 KB -    8 desktops)

 

  WinStation\Desktop            Heap Size(KB)    Used Rate(%)

-------------------------------------------------------------

  WinSta0\Default                    3072              5.7

  WinSta0\Disconnect                   64              4.0

  WinSta0\Winlogon                    128              8.7

  Service-0x0-3e7$\Default            512             15.1

  Service-0x0-3e4$\Default            512              5.1

  Service-0x0-3e5$\Default            512              1.1

  SAWinSta\SADesktop                  512              0.4

  __X78B95_89_IW\__A8D9S1_42_ID       512              0.4

-------------------------------------------------------------

 

As you can see in the example above, each desktop heap size is specified, as is the percentage of usage.  If any one of the desktop heaps becomes too full, allocations within that desktop will fail.  If the cumulative heap size of all the desktops approaches the total size of session view space, then new desktops cannot be created within that session.  Both of the failure scenarios described above depend on two factors: the total size of session view space, and the size of each desktop heap allocation.  Both of these sizes are configurable. 

 

Configuring the size of Session View Space

Session view space size is configurable using the SessionViewSize registry value.  This is a REG_DWORD and the size is specified in megabytes.  Note that the values listed below are specific to 32-bit x86 systems not booted with /3GB.  A reboot is required for this change to take effect.  The value should be specified under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

OS

Size if no registry value configured

Default registry value

Windows 2000 *

20 MB

none

Windows XP

20 MB

48 MB

Windows Server 2003

20 MB

48 MB

* Settings for Windows 2000 are with Terminal Services enabled and hotfix 318942 installed.  Without the Terminal Services installed, session space does not exist, and desktop heap allocations are made from a fixed 48 MB region for system mapped views.  Without hotfix 318942 installed, the size of session view space is fixed at 20 MB.

The sum of the sizes of session view space and session paged pool has a theoretical maximum of slightly under 500 MB for 32-bit operating systems.  The maximum varies based on RAM and various other registry values.  In practice the maximum value is around 450 MB for most configurations.  When the above values are increased, it will result in the virtual address space reduction of any combination of nonpaged pool, system PTEs, system cache, or paged pool.

 

Configuring the size of individual desktop heaps

Configuring the size of the individual desktop heaps is bit more complex.  Speaking in terms of desktop heap size, there are three possibilities:

·         The desktop belongs to an interactive window station and is a “Disconnect” or “Winlogon” desktop, so its heap size is fixed at 64KB or 128 KB, respectively (for 32-bit x86)

·         The desktop heap belongs to an interactive window station, and is not one of the above desktops.  This desktop’s heap size is configurable.

·         The desktop heap belongs to a non-interactive window station.  This desktop’s heap size is also configurable.

 

The size of each desktop heap allocation is controlled by the following registry value:

            HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\Windows

 

 The default data for this registry value will look something like the following (all on one line):

               %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows

               SharedSection=1024,3072,512 Windows=On SubSystemType=Windows

               ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3

               ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off

               MaxRequestThreads=16

                                                           

 

The numeric values following "SharedSection=" control how desktop heap is allocated. These SharedSection values are specified in kilobytes.

The first SharedSection value (1024) is the shared heap size common to all desktops. This memory is not a desktop heap allocation, and the value should not be modified to address desktop heap problems.

The second SharedSection value (3072) is the size of the desktop heap for each desktop that is associated with an interactive window station, with the exception of the “Disconnect” and “Winlogon” desktops.

The third SharedSection value (512) is the size of the desktop heap for each desktop that is associated with a "non-interactive" window station. If this value is not present, the size of the desktop heap for non-interactive window stations will be same as the size specified for interactive window stations (the second SharedSection value). 

Consider the two desktop heap exhaustion scenarios described above.  If the first scenario is encountered (session view space is exhausted), and most of the desktop heaps are non-interactive, then the third SharedSection can be decreased in an effort to allow more (smaller) non-interactive desktop heaps to be created.  Of course, this may not be an option if the processes using the non-interactive heaps require a full 512 KB.  If the second scenario is encountered (a single desktop heap allocation is full), then the second or third SharedSection value can be increased to allow each desktop heap to be larger than 3072 or 512 KB.  A potential problem with this is that fewer total desktop heaps can be created.

 

What are all these window stations and desktops in Session 0 anyway?

Now that we know how to tweak the sizes of session view space and the various desktops, it is worth talking about why you have so many window stations and desktops, particularly in session 0.  First off, you’ll find that every WinSta0 (interactive window station) has at least 3 desktops, and each of these desktops uses various amounts of desktop heap.  I’ve alluded to this previously, but to recap, the three desktops for each interactive window stations are:

·         Default desktop - desktop heap size is configurable as described below

·         Disconnect desktop - desktop heap size is 64k on 32-bit systems

·         Winlogon desktop - desktop heap size is 128k on 32-bit systems

 

Note that there can potentially be more desktops in WinSta0 as well, since any process can call CreateDesktop and create new desktops.

Let’s move on to the desktops associated with non-interactive window stations: these are usually related to a service.  The system creates a window station in which service processes that run under the LocalSystem account are started. This window station is named service-0x0-3e7$. It is named for the LUID for the LocalSystem account, and contains a single desktop that is named Default. However, service processes that run as LocalSystem interactive start in Winsta0 so that they can interact with the user in Session 0 (but still run in the LocalSystem context).

Any service process that starts under an explicit user or service account has a window station and desktop created for it by service control manager, unless a window station for its LUID already exists. These window stations are non-interactive window stations.  The window station name is based on the LUID, which is unique for every logon.  If an entity (other than System) logs on multiple times, a new window station is created for each logon.  An example window station name is “service-0x0-22e1$”.

A common desktop heap issue occurs on systems that have a very large number of services.  This can be a large number of unique services, or one (poorly designed, IMHO) service that installs itself multiple times.  If the services all run under the LocalSystem account, then the desktop heap for Session 0\Service-0x0-3e7$\Default may become exhausted.  If the services all run under another user account which logs on multiples times, each time acquiring a new LUID, there will be a new desktop heap created for every instance of the service, and session view space will eventually become exhausted.

Given what you now know about how service processes use window stations and desktops, you can use this knowledge to avoid desktop heap issues.  For instance, if you are running out of desktop heap for the Session 0\Service-0x0-3e7$\Default desktop, you may be able to move some of the services to a new window station and desktop by changing the user account that the service runs under.

 

Wrapping up

I hope you found this post interesting and useful for solving those desktop heap issues!  If you have questions are comments, please let us know.

 

- Matthew Justice

 

[Update: 7/5/2007 - Desktop Heap, part 2 has been posted]

[Update: 9/13/2007 - Talkback video: Desktop Heap has been posted]

[Update: 3/20/2008 - The default interactive desktop heap size has been increased on 32-bit Vista SP1]

 

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
  • This was a great primer on a part of Windows memory management that is seldom covered. Thanks!

  • Is there a possibility of describing how this works under Vista, and providing a Vista-compatible version of dheapmon?

    I often have up to 20 IE tabs open on Vista, and with a few other applications (eg Outlook, Excel, Word), I seem to be hitting some resource limit, as new windows often fail to be created (unless I close some old ones).

  • My desktop heap numbers are these below. What numbers can I change, and to what value to correct my computer from not functioning properly after I have a certain amount of programs and web sites opened on it, when I still have plently of physical memory

    SharedSection=1024,3072,512 Windows

  • Thomas - A future post on desktop heap in Vista is definitely a possibility.  Keep an eye on our blog for this content.

  • mptock - The SharedSection numbers you have listed are the defaults on x86.  Please take a look at the “Configuring the size of individual desktop heaps” section above to understand what each of these numbers mean.  Any changes you may need to make to the values on your system will depend on what exactly is failing on your computer.  You can use Dheapmon (described above) to monitor desktop heap usage and determine if the problems you are seeing are related to desktop heap.

  • If you have a lot of applications open one thing you might notice is that Windows -- even XP -- will

  • Interesting - I hit the same issues with lots of tabs open in IE. To verify this was the problem I wanted to run dheapmon, but wasn't sure it worked on Vista (since the docs say it's version dependent and there is no Vista version), so I booted in debug mode, ran Windbg and connected in local kernel debug mode (that requires booting in debug mode - XP/2003 did not require that), and used the !dskheap command.

    See details below.

    I am about to reboot increasing the second number from 3076 to 4096.  We'll see.

    --Dave Solomon

    coauthor, Windows Internals 4th edition

    ================================

    Before starting IE:

    lkd> !dskheap

     Winstation\Desktop  Heap Size(KB) Used Rate(%)

    ------------------------------------------------------------

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8636883c, UniStr = 86327020

    (000002B8: name not accessible)     3072  15%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 86327024, UniStr = 8639c020

    (000002B8: name not accessible)       64   3%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8639c024, UniStr = 863332e8

    (000002B8: name not accessible)      128   3%

    ------------------------------------------------------

      Total Desktop: (    3264 KB -   3 desktops)

      Session ID:  1

    ============================================================

    After opening about 40-ish tabs:

    lkd> !dskheap

     Winstation\Desktop  Heap Size(KB) Used Rate(%)

    ------------------------------------------------------------

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8636883c, UniStr = 86327020

    (000002B8: name not accessible)     3072  86%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 86327024, UniStr = 8639c020

    (000002B8: name not accessible)       64   3%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8639c024, UniStr = 863332e8

    (000002B8: name not accessible)      128   3%

    ------------------------------------------------------

      Total Desktop: (    3264 KB -   3 desktops)

      Session ID:  1

    ============================================================

    Then tried to open several more tabs and ran out:

    lkd> !dskheap

     Winstation\Desktop  Heap Size(KB) Used Rate(%)

    ------------------------------------------------------------

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8636883c, UniStr = 86327020

    (000002B8: name not accessible)     3072  99%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 86327024, UniStr = 8639c020

    (000002B8: name not accessible)       64   3%

    pUniStr = 8636eb9c, UniStr = 86333490

     (000002B8: name not accessible)\pUniStr = 8639c024, UniStr = 863332e8

    (000002B8: name not accessible)      128   3%

    ------------------------------------------------------

      Total Desktop: (    3264 KB -   3 desktops)

      Session ID:  1

    ============================================================

  • DHEAPMON shows the percentage of desktop heap that has been consumed;  is it possible to do the same thing programmatically, such that an application could display a warning when, say, 85% of the desktop heap has been consumed?

    Assume the following:  

    1)  our vendor's application creates many windows

    2)  the application can create enough windows to totally deplete the desktop heap

    3)  when a window fails to open due to depleted desktop heap, the entire application crashes.

    4)  we do not want the application to crash;  we want to give the user the opportunity to close some windows to free up some heap and continue.

    5)  the vendor cannot detect that a window failed to open and handle the failure gracefully.  (This point cannot be argued:  while it may be possible to do, this vendor cannot do it.  Trust me. )

    They've already implemented a similar "warn before failure" methodology for the per-process user object handle quota (another application-crash point of failure), and they're talking about doing the same for desktop heap.  Is it even possible?

    -Chad

  • Chad – there is no programmatic interface for querying the desktop heap usage.  dheapmon.exe actually relies on a kernel mode driver, dheapdmp.sys, to gather the information about the desktop heaps.  Unfortunately for the vendor you are working with, the right way to handle this is to gracefully handle the failure to create a window.  Since desktop heap is an internal implementation detail of win32k.sys, a user mode application should not rely on the status of a desktop heap as a means of deciding what operations it should perform.  Window creation ends up in the API function CreateWindow(Ex).  If the application developer is creating this window by directly calling this function, the return value can be checked to validate that the window was successfully creating before continuing.  Below is a snippet from an MSDN sample showing this...

     

        hwnd = CreateWindow(

            "MainWClass",        // name of window class

            "Sample",            // title-bar string

            WS_OVERLAPPEDWINDOW, // top-level window

            CW_USEDEFAULT,       // default horizontal position

            CW_USEDEFAULT,       // default vertical position

            CW_USEDEFAULT,       // default width

            CW_USEDEFAULT,       // default height

            (HWND) NULL,         // no owner window

            (HMENU) NULL,        // use class menu

            hinstance,           // handle to application instance

            (LPVOID) NULL);      // no window-creation data

     

        if (!hwnd)

            return FALSE;

     

    Reference:  http://msdn2.microsoft.com/en-us/library/ms633575.aspx

  • Hi

    dheapmon failed to install on Vista 32, is there a version that is compatible with Vista ?

  • Ohad - There is currently no version of dheapmon for Vista.

  • Is there a way to globally monitor heap usage for all sessions?  I administer Windows 2003 Terminal servers, and I would like to monitor my users for heap exhaustion.  There appears to be paged and non-paged pool session counters in Perfmon for the Terminal Services Session object, but nothing about desktop heap space.

  • KPark – Current dheapmon is the only Microsoft tool for monitoring desktop heap, and it isn’t designed for monitoring multiple sessions / servers simultaneously.  This is a question that comes up periodically, and it is something that we have definitely talked about.  Generally we find that desktop heap usage is fairly consistent for a given workload, so if you take a series of dheapmon snapshot of a typical user’s session, you can get a feeling for what kind of desktop heap configuration you’ll need for your users.

    Regarding the perfmon counters for session pool, those values probably don’t mean what you think they mean.  The numbers are actually the sum of process pool quotas per session.  So only pool allocations that were charged to a process (via ExAllocatePoolWithQuotaTag) are included in the perfmon counter values.

  • The article states "Note that the values listed below are specific to 32-bit x86 systems not booted with /3GB or /PAE"  -- we are booting with the /3GB switch, and I see that the registry entry for SessionViewSize is 48MB.  After running dheapmon it appears that we are only utilizing 16MB of desktop heap.  When I try to start a new Windows service using a User account, it fails, so I'm wondering if the 48MB is a reliable figure -- is there a way to query the maximum desktop heap available?  BTW the service starts just fine under LOCAL SYSTEM, and stopping another service running under a user account allows me to start the service under a user account, so we're 99% certain that this is a desktop heap issue.  We're Windows 2003 Standard.

  • sagman  - This certainly could be a desktop heap problem.  Specifically, it sounds you like you have exhausted session view space (the memory region where desktop heaps come from).  With 3GB enabled, the size of session view space is fixed at 20 MB.  It cannot be configured due to the constraints on kernel address space when booted 3GB.  You can see the size of session view space in a kernel debugger (or using LiveKd) by examining the value of nt!MmSessionViewSize like this...

     

    // Dump out the value of the global variable...

    lkd> dd nt!MmSessionViewSize L1

    808ad254  03000000

    // Convert it to from hex bytes to decimal MB

    lkd> ? 03000000 / 400 / 400

    Evaluate expression: 48 = 00000030

    // So this system’s session view size is 48MB.

     

    If 16MB of your 20 MB session view space is used by desktop heap, session view space may be nearly consumed, since GDI also uses session view space.   Depending on how “full” each of your desktop heaps are, you may be able to tweak the SharedSection values to allow more, smaller, desktop heaps.  

Page 1 of 7 (100 items) 12345»