Windows: Finding a driver which leaks memory

Hi,

if your system runs out of (physical) memory and no process could be identified who is allocating the memory, the paged- or nonpaged pool could also have an high memory load.

Check the TaskManager

Windows TaskManager paged nonpaged Size

Windows TaskManager paged nonpaged Size


To analyze this behaviour a additional tools is requiered.
poolmon – This is shipped with the Windows Device Driver Kit. The Tool is located in the Installation folder of DDK in the tools\other directory.

Start poolmon storted by allocated bytes

C:\> D:\tools\poolmon.exe /b
Memory:50321708K Avail:   83404K  PageFlts:113987   InRam Krnl: 2428K P:7413004K
 Commit:66859664K Limit:67113448K Peak:66859232K            Pool N:15924280K P:43259616K
 System pool information
 Tag  Type     Allocs            Frees            Diff       Bytes   ....

 DSOb Paged 994216755 (184224) 915435919 (182518) 78780836 25416330128 
 DSqe Nonp  1017733273 (5224)  843666118 ( 733)  174067155 13925372400 
 PoEv Paged 1306288937 (2635)  1281031406 (2383) 25257531  9584639152 

In this case the drivers with the tags DSOb and DSqe have an exessive usage of the paged and nonpaged pool. Also a large difference betweenn “Allocs” and “frees” are a hint of leaking memory.

To identify the correspondending driver open a cmd shell and navigate to c:\Windows\System32\drivers

c:\> cd c:\Windows\System32\drivers
c:\Windows\System32\drivers> findstr /m /s /l DSOb *.sys
DSDriver.sys

Mircosoft has also a list of Pooltags used by Windows.

Michael

Advertisment to support michlstechblog.info

Add a comment »One comment to this article

  1. Good One Bro… Very small article with all the needed information… Was able to idenfy the culprit who is leaking memory in my environment.

    Keep it up !

    Reply

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress