Windows: Finding a driver which leaks memory

Hi,

if your system runs out of (physical) memory and no process could be identified who is allocating the memory, the paged- or nonpaged pool could also have an high memory load.

Check the TaskManager

Windows TaskManager paged nonpaged Size
Windows TaskManager paged nonpaged Size

To analyze this behaviour a additional tools is requiered.
poolmon – This is shipped with the Windows Device Driver Kit. The Tool is located in the Installation folder of DDK in the tools\other directory.

Start poolmon storted by allocated bytes

C:\> D:\tools\poolmon.exe /b
Memory:50321708K Avail:   83404K  PageFlts:113987   InRam Krnl: 2428K P:7413004K
 Commit:66859664K Limit:67113448K Peak:66859232K            Pool N:15924280K P:43259616K
 System pool information
 Tag  Type     Allocs            Frees            Diff       Bytes   ....

 DSOb Paged 994216755 (184224) 915435919 (182518) 78780836 25416330128 
 DSqe Nonp  1017733273 (5224)  843666118 ( 733)  174067155 13925372400 
 PoEv Paged 1306288937 (2635)  1281031406 (2383) 25257531  9584639152 

In this case the drivers with the tags DSOb and DSqe have an exessive usage of the paged and nonpaged pool. Also a large difference betweenn “Allocs” and “frees” are a hint of leaking memory.

To identify the correspondending driver open a cmd shell and navigate to c:\Windows\System32\drivers

c:\> cd c:\Windows\System32\drivers
c:\Windows\System32\drivers> findstr /m /s /l DSOb *.sys
DSDriver.sys

Mircosoft has also a list of Pooltags used by Windows.

Michael

Advertisment to support michlstechblog.info

4 thoughts on “Windows: Finding a driver which leaks memory”

  1. Good One Bro… Very small article with all the needed information… Was able to idenfy the culprit who is leaking memory in my environment.

    Keep it up !

  2. Thanks for the article. That was super helpful. I found that in my case the pool tag PdcA has about 23GB of bytes shown in poolmon and leaking continuously higher as I watch it with no applications except for chrome running on the computer. The problem is, it seems to be associated with multiple drivers:
    dam.sys
    netio.sys
    pdc.sys
    tcpip.sys
    usbhub.sys

    Only three of which are even loaded currently: pdc.sys, netio.sys tcpip.sys
    As far as I know, these are provided by Microsoft and not 3rd party.

    How do I go about doing something about the memory leak once I’ve identified the drivers this far?

  3. Hi, I have 8GB Ram my ram spikes up because of my USB 3.0 Driver and crashes my Windows 7 PC. The problem is CPU Usage is 2% to 7% and the error code is:
    RAM_CPU_USAGE_HIGH
    and after restarting
    DRIVER_CORRUPTED

Leave a Reply to A guy Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.