So why are applets so bad, anyway?

There's a simple answer to that question.  As I mentioned in the first post in this series, "It's my machine dagnabbit".  The simple answer is that applets consume resources that can be better used by by the customer.

At an absolute minimum, each applet process consumes a process (no duh - that was a stupid statement, Larry).  But you need to realize that each process on Windows consumes a significant amount of system resources - you can see this in Vista's taskmgr.

There are three columns that are interesting:  Working Set, Commit Size and Memory.  Commit Size is the amount of memory reserved for the process (so can be insanely large , Working Set  is the amount of physical memory that the process is currently consuming, and Memory is the amount of working set that's not being used by DLLs.

On my machine, to pick on two applets that I have running, you find:

  • FlashUtil9d.exe consuming 4.5M of working set, 1.3M of commitment and 760K of Memory
  • FwcMgmt.exe (the ISA firewall client) consuming 4M of working set, 1.6M of commitment and 300K of Memory

That 700K is real, physical RAM that's being actively used by the process (otherwise it would have been swapped out).  With multiple applets running, it adds up FAST.  On todays big machines, this isn't a big deal, but on a machine with less memory, it can be crippling.


In my last post, I categorized applets into 4 categories (updaters, tray notification handlers, helper applications and services).  In addition to the common issues mentioned above, each of these has its own special set of issues associated with it.

Updaters often to run all the time, even though they're only actually doing work once a day (or once a month).  That means that they consume resources all the time that they're active.  Adding insult to injury, on my machine at home, I have an updater that is manifested to require elevation (which means I get the "your app requires elevation" popup whenever it tries to run). 

Tray notification handlers also run all the time, and adding insult to injury, they clutter up the notification area.  The more items in the notification area, the less useful it is.  This is actually the primary justification for the "big 4" notification area items in Vista - people kept on finding that the 3rd party notification area icons crowded out functionality they wanted to access.  In addition, notification handlers seem to love popping up toast on the desktop, which often interrupts the user.  In addition, since tray handlers often run synchronously at startup, they delay system boot time.

Helper applications don't have any specific issues, from what I've seen.  They just consume resources when they're running.

Services are both good and bad.  Each Windows service has a start type which lets the system know what to do with the service on startup.  There are 3 relevant start types for most services: AutoStart, DemandStart and Disabled.  When a service is marked as AutoStart, it starts on every boot of the system, which degrades the system startup time.  In addition, because services often run in highly privileged accounts, the author of the service needs to take a great deal of care to ensure that they don't introduce security holes into the system.  Before Vista, high privileged services were notorious for popping up UI on the user's desktop, a practice so dangerous, it justified its own category of security threat ("shatter attacks").  In Vista, changes were made to eliminate classic shatter attacks for all subsequent versions of the OS, so fortunately this issue isn't as grave as it was in the past.



Tomorrow:  So how do you mitigate the damage that applets can cause?

Comments (29)

  1. Anonymous says:

    This is a great series! I had an ex GF who installed an HP all-in-one printer, fax, and copier on her home machine and got so many process intensive craplets from that install that her machine was bogged down nearly to the point of not being usable and they were worse than a virus to try and get off of her machine. Any help you can give user and developers alike for keeping this ridiculousness in check is great in my book.

  2. Dean Harding says:

    I think the flash one is not so bad. From what I’ve seen, it *usually* only starts up when you actually view a flash animation and *generally* shuts itself down when the flash is closed. That said, I have seen it hang around, even after exiting IE completely, so maybe there’s some bug there. But of course, that’s how it SHOULD work.

    HP is, in my opinion, horrible for installing tones of "helper" applications. We’ve got a couple of HP servers and work, and they install all these hardware "monitoring" and "management" applications. Just looking at one of the servers, it’s got 9 (that’s right, NINE) HP processes running, one of them has 256 threads and 20MB working set. On a server with 4GB of RAM, 20MB isn’t much but NINE processes can’t be good…

  3. Anonymous says:

    Rant time….  services, services, services.  It seems that Microsoft can’t let a Windows install go without  running every possible service they think anyone could ever need.  If that isn’t bad enough, Microsoft can’t provide informative, descriptive,  text that explains what the individual services are, what they do, and what uses them so we can determine whether they can be turned off and take control of our own computers.  

  4. Todd, one of my major missions in Vista was to block every single auto-start service that was proposed.

    From when I started working on it to when we shipped, there were a grand total of 2 autostart services added (I’m actually responsible for one of those).  And for those, we worked hard to get the footprint of that service to be as small as possible.

    And there is actually a fair amount of guidance associated with the services in Vista and what they do – information from before Vista was spotty, but for Vista, I think we’ve done a decent job of explaining what services do and what happens when they’re disabled.

  5. Anonymous says:

    Great series.  I have an ** printer at home that when I installed its drivers, it installed a WEB SERVER written in JAVA to run its "management studio" or whatever it was called.  So not only did I have the bloat of a constantly-running java app and the massive java virtual machine, but I had an open port just waiting for incoming HTTP requests.  Thank goodness I was behind a router, I’d hate to think how many security vulnerabilites were in that.

    I trust Microsoft now to patch security vulnerabilities through WU.  I don’t trust ** to release updates when vulnerabilities are discovered in their software.

    OTOH, I just bought an HP Photosmart C5180 All-In-One and just installed the bare drivers.  I get all the functionality and NO CRAPLETS! Not even a helper process that a previous HP All-In-One had.  Kudos to HP for getting it right this time.

  6. Anonymous says:

    My Vista version of taskmgr doesn’t have a column labeled just Memory.  My best guess is that you are referring to Memory – Private Working Set?

    Can you elaborate on this: "Memory is the amount of working set that’s not being used by DLLs" – if Vista knows this memory is not being used, does that mean it could do some sort of leak monitoring?

  7. Anonymous says:

    Great series, Larry.

    It occurred to me while reading this that perhaps one way to alleviate "updater" applets, and maybe others, is to provide some scheduling APIs that lets Windows run the updater on schedule. This way, they’re only running when they need to be (e.g. once a month), thus saving resources.

    Is that feasible?

  8. sean e: Yup, I’m referring to "Memory – Private Working Set".  

    This is a rough approximation (Landy will undoubtedly find many things I’m overgeneralizing here):

    The "working set" of a process is composed the number of pages for that process that are currently swapped in multiplied by the page size (to get a number that humans can deal with).

    Every page in a process is marked as either "shared" or "private" – shared pages are pages that will be mapped in more than one process, private pages are pages that are present only in the particular process.

    Since the pages that are contained in every DLL that’s mapped into a processes’ address space are shared by all the other processes that have mapped the DLL, they’re considered to be "shared".

    Thus the "Memory – Private Working Set" counter is the number of pages used by a process that are only used by that process and no other.

    The "private working set" is a very good estimation of the actual impact of the process on your system.

    Judah: Wait until the post on mitigations for updaters (currently 2 posts from now).  There is absolutely a way to do what you suggest, and many updaters do that.

  9. Anonymous says:

    Great series, Larry.

    I make it a point to go through the registry’s HKLM/Software/Microsoft/Windows/CurrentVersion/Run section (and the corresponding one for HKCU) every now and then and just delete anything I don’t recognize. Hazardous? Not really. If I am unsure about something, Google usually tells me what it is.

    This keeps the number of craplets running to a minimum, and I feel like I’m keeping some measure of control over my PC. 🙂

  10. Anonymous says:

    Addendum: The worst craplet ever is ATi’s Catalyst Control Center that comes along when you install ATi’s graphics card drivers. It auto-installs itself in the desktop context menu, it uses a ton of resources and is DOG SLOW, even on a high-end machine. It uses some kind of heavy-footed skinning engine because apparently, some i**ot over at ATi thinks I am not capable of choosing a Windows theme that I like, so their app has to have their own look, which completely clashes with every other program.

    I seem to recall that you can get rid of the Catalyst craplet somehow, but not without losing access to some of the graphics card settings it provides.

    My Sound Blaster card also came with a gaudy, fully-skinned application with lots of animations, bells & whistles to configure the card. However, the installer also included a barebones "audio console" that didn’t use any custom skins or jazzy UI widgets whatsoever. Guess which one I use? Kudos to Creative for getting that one right.

  11. Anonymous says:

    > FwcMgmt.exe (the ISA firewall client) consuming 4M of

    > working set, 1.6M of commitment and 300K of Memory

    That looks like a typical degree of bloatware, but that is an applet that you *want*, is it not?  If I had a complaint about that program, it would be in the category of bloatware but surely not in the category of "so bad" an applet.

    > each applet process consumes a process

    Yeah, it’s too bad that processes are still so expensive.  Combining crapthreads into a single process lets a bug in one crapthread walk all over the other threads, in almost the same manner as some discontinued OSes allowed a bug in any program to walk all over the kernel.  It would be better if processes were cheap enough to let each Explorer craplet run in its own process and let each service run in its own process.

  12. Anonymous says:

    Some of the "shared" (non-MEM_PRIVATE) pages might actually be mapped only in this particular process (private DLLs, memory mapped files etc), so they should be counted as private pages when measuring memory impact.

    As far as I know, the only way to figure out which pages are actually shared vs. potentially shareable is to query working set information from the OS (QueryWorkingSetEx) and this is a relatively expensive operation, so task manager doesn’t do this. Process Explorer shows private/shared/shareable WS counters on the performance property page.

  13. Anonymous says:

    I’d like to nominate another candidate for worst applet ever. PhiBtn.exe is an applet installed by the drivers for Phillips webcams that simply monitors the webcam to see if the snapshot button on the camera has been pressed. It consumes over 2Mb of actual RAM, and leaks 3 registry key handles every second, so it’s not just sitting idle.

  14. Anonymous says:

    My work IBM Thinkpad (purchased last year) has 512Mb of RAM, and all the pre-loaded IBM ThinkVantage software, anti virus and mobile connection software means that after booting and log on, the Commit Charge is just short of 500Mb.


  15. Anonymous says:

    I’ve recently been swapping between many wireless networks that don’t have DHCP installed (for various reasons).  My ‘solution’ at the moment is a batch file that auto-detects the SSID the card is connected to and runs a bunch of netsh commands.  I have a hotkey to launch the script, but sometimes I forget, and wonder why the network doesn’t work.

    The point of this post is: One way to fix this would be to write a craptlet that detects when the network configuration changes and automatically launches the script, but that’s one more crapplet.  If Vista had up/down scripts like linux, then I could just hook into those, but no hooks means one more craplet.

  16. Anonymous says:

    I don’t agree that private working set is a very good estimation on impact. Even if a service only has a 2MB working set of a 30MB heap, it still had to have allocated and initialized that 30MB somehow, probably off disk, which costs time on startup. It then costs time again when it needs to access that memory at some point during execution and finally again to free it on shutdown. You’re still paying a cost for all of those pages.

    That’s precisely why I hate craplets like the ATI Control Panel — sure, it has a working set significantly smaller than its allocated size, at some point it wakes up, such as when you click on it, and then it takes forever thrashing the disk while it swaps pages in its heap back into memory. It’s worse with .NET apps that suddenly decide to do a full garbage collection and need EVERY page swapped back in. You might as well go to lunch at that point because the swap traffic kills system responsiveness.

  17. Anonymous says:

    "That 700K is real, physical RAM"

    Obviously I can’t add up today, where does that 700K number come from?

  18. Norman: You’re right, I do want the firewall client.  I never said it was "so bad", it happened to be an applet on my machineat work.

    Phaeron: You’re right, but private working set works quite nicely as a measure of the spot impact of a process.  It doesn’t tell you history, but it does tell you how bad it is right now.

  19. Paul: The 700K comes from rounding 760K down.

  20. Anonymous says:

    One of the other worse ones I’ve seen are included with HP all-in-one printers. They install a number of always-run programs and a couple of them are well known for hanging the system when you try to shut down.

    I’ve gotten a real education on Services reading your posts. I monitor some of the less understood startup vectors and it amazes me how may legit vendors sneak things in.

    For instance, on a brand new Dell laptop I was preparing for my daughter I found that it included an AOL file called "GW SEH Intercept" located in


    This was a clean OEM machine and AOL wasn’t even in installed yet!  I’m told SEH stands for Structured encryption handling.

    Thanks again,


  21. Anonymous says:

    "If Vista had up/down scripts like linux, then I could just hook into those, but no hooks means one more craplet."

    Norman, check into the new Vista Task Scheduler, they finally got this right. Create a new task and select the trigger "On an event." Then select the network event you want to trigger the action. You can undoubtedly find a suitable event number by searching the event logs.

    I know that Microsoft has no interest in back-porting this to XP, but if nobody does then it will be several years before these kind of Vista features are exploited. Most app developers would prefer to avoid multiple code paths and as long as the XP-crapplet way works on Vista it will be predominant for a long time to come.

  22. Bill, I think I mentioned the HP 7400 printer in one of these posts.

    I hate that stupid piece of junk – it’s a nice printer, but the crap that came with their driver annoys the heck out of me.

  23. Anonymous says:

    Dave: Wow, I had absolutely no idea that this had been added in Vista – It works like a charm!

  24. Anonymous says:

    Larry:… but private working set works quite nicely as a measure of the spot impact of a process.  It doesn’t tell you history, but it does tell you how bad it is right now.

    I think this isn’t exact enough. You have to add also the shared pages with a refcount of one, to make a fair process comparison.

    These pages are often surprisingly huge.

  25. edgar: that’s essentially what Pavel mentioned above.  You’re right, but it’s not easy to calculate that number in a non-intrusive manner.

  26. Anonymous says:

    Larry: that’s essentially what Pavel mentioned above.  You’re right, but it’s not easy to calculate that number in a non-intrusive manner.

    Sorry Pavel, I haven’t read your entry. Larry’s blogs are so long. 😉

    – But it is easy and not that much much time-consuming. It is of course always a snapshot, but it’s closer to the truth. Therefore it is a better system overview. We are talking about unnecessary resource overhead, not specific asynchronous test scenarios.

  27. Anonymous says:

    The shatter attack is the stupidest thing I have ever seen. It’s too bad how much people care about backwards compatibility over security.

    Oh, right, crapplets. Do you think it would be possible to alter the registry to pop up a dialog saying "Crapplet.exe is trying to add itself to your autostart programs/services. Do you want to allow this?" every time some piece of filth tries to install one?

    Obviously it won’t help OEM machines, but it still would be nice when it comes time to get a new printer 😉

  28. Anonymous says:

    > pop up a dialog saying "Crapplet.exe is trying to add itself to

    > your autostart programs/services. Do you want to allow this?"

    > […] would be nice when it comes time to get a new printer 😉

    OK, users never read dialogs, but let’s imagine someone reads this one when they install their new printer.  Now let’s figure out the answer.  Start with the dialog buttons.

    [Yes] [No] [I don’t know.  I want to answer No, but if I answer No then will I be able to print?]

    Click the obvious button.  Here comes the next dialog that no one will ever read.

    "Windows needs an internet connection in order to find out where crapplet.exe came from.  Please connect, elevate to administrator privileges, and install this ActiveX control."

    [Back] [Next] [Cancel]

    Then if crapplet.exe came from Microsoft,

    "Please visit the support page on Microsoft’s web site and find out how you can pay a fee to ask your question"

    [Back] [Finish] [Cancel]

    or if it came from another company,

    "crapplet.exe came from company x so please visit company x’s web site to find that there’s no answer to your question"

    [Back] [Finish] [Cancel]

  29. Anonymous says:

    In previous articles, I've pointed out: Programmer Hubris – He's just not that into you Programmer

Skip to main content