    LANDesk using the MetaFile


      I have a LANDesk core server crashing at irregular intervals.


      It will consume a lot of memory before software distribution stops and the server needs a reboot to recover.

      At first, I looked at processes, but they are all using a reasonable amount of memory.


      The funny thing is that the memory usage will not show up in resource manager or task manager.

      So someone helped me and they found where my memory is going:

      There's a "file" in Windows memory called "MetaFile".

      Metafile is part of the system cache and consists of NTFS metadata.

      Sysinternals has a tool to see how large this file is:


      The attached document will show Metafile using +6GB of memory on this server!


      The server doesn't have any extra files other than the ones used by LANDesk.


      Has anyone seen anything like this?

      Core server is running LDMS 9 SP2 with Windows 2008 R2 SP 1 as operating system.


      Any help is appreciated

          I may be suggesting you to tread on ground you have already trodden but as you haven't specifically mentioned doing so.....


          Have you added the 'extra' columns in task manager for other memory allocations, like non-paged pool, threads and handles to see if any particular process is consuming unusual levels. If for example threads/handles continues to grow over time without ever decreasing this could point towards a process memory leak.


          Or are their any processes performing a higher than usual amount of disk I/O. As Metafile seems to be file related perhaps for some reason a large amount of log/temp/other files are accumalating somewhere on the disk.


          Have you disabled the windows search /indexing features on the server?

            Not likely a LANDesk issue seems like a lot of people are experincing this with R2 http://wasthatsohard.wordpress.com/2011/03/01/high-memory-usage-windows-server-2008-r2-file-server/


            Is your core also a package/preferred server?

              We've opened a case with Microsoft Support.

              Although LANDesk might be the component that triggers the error, I'm not so sure it's something we can fix.


              The article http://support.microsoft.com/kb/976618 was most useful.


              I'll update this question when I know more in case someone has the same problem in the future.





              Oh, and no. The core is not used for packaging or software distribution. A file server is.

                I have two pretty large cores and i'm running under 1gb. Let us know how things turn out.

                  As Microsoft did an evaluation, they manage to narrow it down to one of the "LANDesk" services.

                  Thus, Microsoft was more or less of the hook.


                  I tried starting individual services after a reboot and got lucky.

                  On my first try, LANDesk Inventory Service made the Metafile grow to silly sizes.

                  Twice lucky, I started up ProcMon, and found out the ldiscn32.exe that starts with the ldinv32.exe made huge amount of read on a folder called \LANDesk\ManagementSuite\sdstatus.

                  Tried to open the folder and discovered it holds 4.6 millions .xml files! No wonder the MetaFile is big...


                  They all contain strings like this, which seems like part of the alerting system.


                  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><alert><taskId>266</taskId><packageId>0</packageId><complete>true</complete><retcode>229392437</retcode><deviceid>{91611F8C-737F-734D-BCC2-F2BD925A8861}</deviceid><ldapinfo>valid ldap string removed</ldapinfo><message/><logfile/><alert_ostype>windows</alert_ostype><alert_osfamily>winnt</alert_osfamily><alert_pds2id>8C1F6191-7F73-4D73-BCC2-F2BD925A8861</alert_pds2id><alert_inventoryid>{91611F8C-737F-734D-BCC2-F2BD925A8861}</alert_inventoryid><alert_host>validhostremoved</alert_host><alert_state>1</alert_state><alert_localTime>2011-10-21 10:51:15.918</alert_localTime><alert_gmtTime>2011-10-21 08:51:15.918</alert_gmtTime><alert_instance/><alert_id>internal.10_230_20_34.swd_sdclient.status</alert_id><alert_ruleset name="SoftwareDistribution Ruleset" date=""/><alert_health>2</alert_health></alert>


                  Question is, how come there are millions of them?


                  I'll start by moving them out of the folder, but love to hear ideas on how to stop them from coming back...

                    Try this and make sure you update the clients also.


                      Aye, of course.

                      My brain isn't working at this hour (2am) so didn't even think of searching for "sdstatus".


                      Thanks, that's spot on what we see.

                      You already got the correct anwere for the post, but there you hit the nail on the head once again Zman

                        Good my past scars can help others - LOL.