Windows – Is it possible to configure Windows “resource exhaustion detector” to detect and log high cpu events, rather than just low memory events

Edit: Please note that the comment section is now irrelevant because my original answer is gone.

Your question:

How can the Private Bytes of a process be significantly less than its effect on the system commit charge?

This can be answered with a direct quote from Mark Russinovich:

There are two types of process virtual memory that do count toward the commit limit: private and pagefile-backed.

The private bytes attributed to the process can be (and often is) less than that processes' effect on the system commit charge because the process can also be allocating pagefile-backed virtual memory.

Pagefile-backed virtual memory is difficult to attribute to a specific process because it is sharable between processes. There is no process-specific performance counter that can tell you how much pagefile-backed virtual memory any process has allocated or is referencing, yet, it does still count against the commit limit.

This article is the authoritative article on the subject, and in that article, he specifically demonstrates a case where a process has allocated tons of pagefile-backed VM, and yet the private bytes of the process remains very low.

He also shows you how to use handle.exe to detect the allocation size of handles to section objects. That is how you can detect what process is having such a large effect on the commit charge.

You mention that you have already looked at sqlservr.exe with handle.exe and that it does not have handles open to a significant amount of section objects that would account for the commit charge that is released when you kill sqlservr.exe.

Coincidentally, there are also memory allocations in kernel space that are charged against the system commit limit, such as paged and nonpaged pools, and driver locked memory, including things like virtual machine balloon drivers, etc. I don't believe this is relevant to this case but I didn't want to leave it unsaid.

SQL Server is a massive, complex product consisting of many different processes that work together on the system to provide all the SQL Server services. In fact SQL Server has its very own internal memory manager that can make it look atypical from the perspective of tools designed to measure Windows virtual memory allocations.

sqlservr.exe does not act alone. There's also

• msmdsrv.exe (Analysis Services)
• sqlwriter.exe (SQL VSS Writer)
• sqlagent.exe (SQL Agent)
• fdlauncher.exe (Full-Text Filter Daemon Launcher)
• fdhost.exe (Full-Text host)
• ReportingServicesService.exe
• SQLBrowser.exe

When I kill sqlservr.exe, sqlagent.exe also dies automatically. This means the system commit charge will fall by the amount contributed to it by both processes. The other SQL-related processes may also be releasing pagefile-backed sections when sqlservr.exe is killed, even though the processes themselves remain running. All of these would cause the current commit charge of the system to fall when sqlservr.exe is killed, even though they were never part of the private bytes of sqlservr.exe.

Things like this vary a lot. For instance, are you recording calls? If so, are you using Monitor or MixMonitor? Monitor is processed in the same thread as the call, MixMonitor in it's own thread. And if you are recording, you probably have a solid disk hit. I solve some of this by turning off atime in /etc/fstab.

Something you can do to get a idea of what is going on in your system is to run vmstat. A simple vmstate 1 20 will you an optput to look at and you can see what is eating at the CPU.

Another thing that you can do with asterisk is remove modules you don't need by adding "noload =>" lines to modules.conf. Often, there are a lot. You'll just have to take some time to learn what modules you do and don't use as all are autoloaded during startup.

One more thing to consider is trans-coding. If you're accepting calls using the G.729A codec and your softphones/deskphones use G.711u, you're going to take a performance hit as as it has to trans-code those codecs and can't just preform packet-2-packet bridging.