Table of Contents
An intro:
Nonpaged memory leak issue is very frequent in a sysadmin life and fixing such issue using poolmon is easy. In first place we may want to have a look at windows task manager but there are not enough information to get the culprit process or driver that is causing the issue.
Today we will discuss about nonpaged memory leak and poolmon tool with practical steps. Here we are simulating the memory leak issue hence in real life you may face different situation, but by following the given steps you will be able to fix the issue permanently.
Yes, Users complain about memory leak that impacts their application performance and sometimes applications stop responding due to lack of memory.
So when we are talking about memory leak that means we are pointing to below section in Windows Task Manager in Memory Tab
Note: Please do a google search on what is paged and nonpaged memory pool, this will help you understand the steps better.
As you can see now the non-paged pool is in expected range ~200-400 MB is okay.
Simulating the memory Leak Issue:
Ok fine! At this point we got a brief intro about memory leak. Now lets produce the issue so that we can troubleshoot
Before we create the issue we need to download a tool called NotMyFault from the following website.
https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault
It will be downloaded as a zip file, extract it and you will see files as below
We will use the highlighted file as my OS is 64bit OS. The 1st two exe files are GUI and the last 2 are command line based. You can use it as per your convenience.
Great! Now right click on notmyfault64.exe and RUN as an Administrator, you will see following windows
Click the Leak tab, and set as given below
Note: Here I have set it to 30000KB as I have 16GB RAM installed, you can put a lower value depending on your system RAM configuration.
Now Click Leak Nonpaged Tab
See how the Non-Paged pool section going high as shown below
And it reached upto 7.5 GB.
Root Cause Analysis:
Now download the Windows Driver Kit(WDK) from below location and install it.
https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
Go to C:\Program Files (x86)\Windows Kits\10\Tools\x64 and copy poolmon.exe to the target machine.
You can download directly from below Github repo
https://github.com/Jagat45106/SysAdmin_PSTools/tree/master/Poolmon
Now run poolmon command as shown below
# Poolmon /p /b
/p – Sort the nonpaged pool
/b – Sort with bytes consumed
If you see the Bytes column you can see the value matched with the non-paged section in Task Manager, if you look at Tag “Leak” it’s pretty much clear that it’s due to the tool we are using.
However in real life you may see most of the time the memory leak happened due to 3rd party applications driver file (*.sys). One example is as below
In the above snip you can see the tag, it’s MFeS which consumes the highest bytes.
Also a good indicator of memory leaking is when its allocating memory faster than its freeing it. ( Look at Allocs and Frees column).
A quick google about MFeS, showed us mfeavfk.sys file which is from McAfee.
OR you can use the following Powershell command to have a look at Drivers folder for any association.
# Set-Location “C:\Windows\System32\drivers”
# Select-String -Path *.sys -Pattern “MFeS” -CaseSensitive | Select-Object FileName -Unique
The MFeS tag will show you the link with mfeavfk.sys driver file which is from McAfee. In this case raise a case with McAfee and they will assist for a fix.
I hope you enjoyed the blog post ! Please do share if you liked it!
Please explore my other blogs in https://learn-inside.com/
Thank you!