Recently, I was doing something that made the NTOSKRNL a little angry. I was backing up a large amount of data (400GB) from a USB drive to a SATA drive array.
I started this backup at night and, at first, the speed of the copy was about 10MB per second. When I woke up the next day, it was still copying and the speed dropped anywhere from 1MB to 4MB per second. To discern why, I opened up Process Explorer to have a look:
At this point, I got the properties of the System Process which yielded this:
This didn’t tell me much so I took to choosing the "Stack" button to see what was transpiring. But, whoops, that didn’t work as evidenced by the error below:
This perplexed me so I took a look at an article I remembered being written by Mark Russinovich which can be found here. Sure enough I found the reason:
"The System process is a special type of process on Vista ‘(and evidently XP x64)’ called a “protected process” that doesn’t allow any access to its threads or memory. Protected processes were introduced to support Digital Rights Management (DRM) so that hi-definition content providers can store content encryption keys with a reduced risk of an administrative user using DRM-stripping tools to reach into the process and read the keys."
So with that problem in place I decided to take Mark’s lead and pull out the Kernrate tool. It can be found here but be WARNED – it does NOT work on x64 versions. (Hence the title of this blog) It will look like it works, but because it runs in the WOW64, it doesn’t really have access to those kernel level functions as evidenced here:
I went to the MSDN site and downloaded the DDKs and WDKs for Server 2003 based on this post (which at the time seemed meaningful and worthwhile). However, I didn’t find what was stated so I decided to use the "chat" feature of my MSDN subscription. I interacted with a polite and helpful person named Kimi, but ultimately our joint venture in finding the right version of Kernrate was not productive. Fortunately, I also found this post where "Steve" (someone who commented at the bottom) stated the Kernrate tool for amd64 or x64 could be used. So I ended up downloading the Server 2008 WDK which can be found here and installed just the help docs and tools (I did not install the samples since I’m not a programmer).
Low and behold, I directed my command prompt to the C:\WinDDK\6001.18001\tools\other\amd64 directory and then ran Kernrate (without any arguments). I received a bunch of date, but most importantly, I got a listing of the modules that were taking up resources:
Now I’m going to go on and figure out why the performance is so terrible after a few hours of copying. But at least now you know where to get the Kernrate.exe utility for x64 and amd64 systems.