Spectre and Meltdown: 3 Things You Can Do to Speed Back Up
I’m sure we’ve all seen the articles around Spectre and Meltdown this year: fixes aplenty, and in some cases side effects of slower performance and more resource usage. These slowdowns make sense of course, because the attacks take advantage of the speculative execution feature in processors that makes their fastest performance possible. There’s a ton written out there about this feature, but essentially it enables processors to try to predict what you’re going to have them to do next, instead of waiting for the instructions to arrive. There is no pipeline stall or delay in execution, so performance is faster. But take that away and the processor’s predictive ability and code is more secure (for reasons we’ve linked to above) but slower.
What if there were ways to mitigate the after effects of fixing these vulnerabilities? Ways to help with the slowdowns customers tell me they are seeing after applying patches and microcode updates?
To give you some background on how I’ve come prepared to speed up your IT environment, for the last 14 years or so I’ve been working with Asia Pacific (APAC) clients in the end-user computing space to make sure they get the best user performance they can from their Windows technology. I’ve helped them manage CPU and memory resources with Ivanti Performance Manager powered by AppSense. Since 2002 this has been the leading solution for shared resource management on Citrix, Terminal Server, and virtual desktop infrastructure (VDI) platforms. I’m proud to say I love this product, and I’ve installed it at at least 500 customer sites with remarkable success.
I’ve also specialised in security, helping organisations implement the ASD Essential 8 security framework using the most widely deployed whitelisting and privilege management solution, Ivanti Application Control powered by AppSense.
So, now back to business. Let’s look at what we can do today to claw back some of that performance for our users. I recommend you take this approach:
Find out where things stand in your environment. Talk to your hardware vendors. See what they say about the servers and workstations you are running and how vulnerable they are. In addition, Microsoft offers guidance here on how to use PowerShell to check your current state.
2. Gain Insight
Consolidate what you’ve found across your organisation. I’m not sure how you are collecting inventory or patch state information today, but it’s critical to dig into the data.
3. Take Action
Install Ivanti Performance Manager.
This last might seem quite radical, but yes you can install a product made famous in the Citrix and Terminal Server world on a PC or server. Windows is Windows. The challenges you face when you are using multi-user shared Windows sessions are still there on a single-user version of Windows. Here’s why:
- The Windows Scheduler is the same. Yes, there is no difference in the Windows Scheduler, that piece of code that decides who is the next to get some CPU time. Scheduler issues on PCs slow response time and cause hangs when users switch between applications.
- CPU can still lock up at 100%. You know that time when the AV agent goes rogue, just as your review scan of your 50-page work document kicks off—that spinning cursor that really just says, “Please hold, your call is important to me”? That’s a CPU lockup.
- Memory leaks or hangs. Sometimes, applications just grab memory, and sometimes they keep grabbing more. A bug called a “memory leak” can cause this, but in other cases it’s just the way the app works. The challenge is that the app, which now needs to manage all that memory, can get itself in a knot and hang.
Performance Manager provides granular control over the Scheduler by actively managing the base priority of all threads and processes. Our patented Thread Throttling technology actively monitors CPU usage to make sure the CPU never hangs at 100%. If a rogue process does take the CPU to 100%, we can peg it back just a little, so Windows keeps running and all the processes get their fair share of resources. And for the physical memory issue, we can request a working set trim for applications, based on a range of triggers (Foreground, Background, Idle, Locked Desktop, etc.). This reduces physical memory usage and puts more free memory back in the pool for other applications.