Windows: Finding a driver which leaks memory
if your system runs out of (physical) memory and no process could be identified who is allocating the memory, the paged- or nonpaged pool could also have an high memory load.
Check the TaskManager
To analyze this behaviour a additional tools is requiered.
poolmon – This is shipped with the Windows Device Driver Kit. The Tool is located in the Installation folder of DDK in the tools\other directory.
Start poolmon storted by allocated bytes
C:\> D:\tools\poolmon.exe /b Memory:50321708K Avail: 83404K PageFlts:113987 InRam Krnl: 2428K P:7413004K Commit:66859664K Limit:67113448K Peak:66859232K Pool N:15924280K P:43259616K System pool information Tag Type Allocs Frees Diff Bytes .... DSOb Paged 994216755 (184224) 915435919 (182518) 78780836 25416330128 DSqe Nonp 1017733273 (5224) 843666118 ( 733) 174067155 13925372400 PoEv Paged 1306288937 (2635) 1281031406 (2383) 25257531 9584639152
In this case the drivers with the tags DSOb and DSqe have an exessive usage of the paged and nonpaged pool. Also a large difference betweenn “Allocs” and “frees” are a hint of leaking memory.
To identify the correspondending driver open a cmd shell and navigate to c:\Windows\System32\drivers
c:\> cd c:\Windows\System32\drivers c:\Windows\System32\drivers> findstr /m /s /l DSOb *.sys DSDriver.sys
Mircosoft has also a list of Pooltags used by Windows.