Fix NonPaged Memory Leak | Poolmon – Windows 10 and Server | Easy Steps

Poolmon
memory leak windows server
memory leak
fix memory leak
nonpaged memory leak

An intro:

Nonpaged memory leak issue is very frequent in a sysadmin life and fixing such issue using poolmon is easy. In first place we may want to have a look at windows task manager but there are not enough information to get the culprit process or driver that is causing the issue.

Today we will discuss about nonpaged memory leak and poolmon tool with practical steps. Here we are simulating the memory leak issue hence in real life you may face different situation, but by following the given steps you will be able to fix the issue permanently.

Yes, Users complain about memory leak that impacts their application performance and sometimes applications stop responding due to lack of memory.

So when we are talking about memory leak that means we are pointing to below section in Windows Task Manager in Memory Tab

Note: Please do a google search on what is paged and nonpaged memory pool, this will help you understand the steps better.

As you can see now the non-paged pool is in expected range ~200-400 MB is okay.

Simulating the memory Leak Issue:

Ok fine! At this point we got a brief intro about memory leak. Now lets produce the issue so that we can troubleshoot

Before we create the issue we need to download  a tool called NotMyFault from the following website.

https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault

It will be downloaded as a zip file, extract it and you will see files as below

We will use the highlighted file as my OS is 64bit OS. The 1st two exe files are GUI and the last 2 are command line based. You can use it as per your convenience.

Great! Now right click on notmyfault64.exe and RUN as an Administrator, you will see following windows

Click the Leak tab, and set as given below

Note: Here I have set it to 30000KB as I have 16GB RAM installed, you can put a lower value depending on your system RAM configuration.

Now Click Leak Nonpaged Tab

See how the Non-Paged pool section going high as shown below

And it reached upto 7.5 GB.

Root Cause Analysis:

Now download the Windows Driver Kit(WDK) from below location and install it.

https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

Go to C:\Program Files (x86)\Windows Kits\10\Tools\x64 and copy poolmon.exe to the target machine.

You can download directly from below Github repo

https://github.com/Jagat45106/SysAdmin_PSTools/tree/master/Poolmon

Now run poolmon command as shown below 

           # Poolmon /p /b

              /p – Sort the nonpaged pool

             /b – Sort with bytes consumed

If you see the Bytes column you can see the value matched with the non-paged section in Task Manager, if you look at Tag “Leak” it’s pretty much clear that it’s due to the tool we are using.

However in real life you may see most of the time the memory leak happened due to 3rd party applications driver file (*.sys). One example is as below

In the above snip you can see the tag, it’s  MFeS which consumes the highest bytes.

Also a good indicator of memory leaking is when its allocating memory faster than its freeing it. ( Look at Allocs and Frees column).

A quick google about MFeS, showed us mfeavfk.sys file which is from McAfee.

OR you can use the following Powershell command to have a look at Drivers folder for any association.

# Set-Location “C:\Windows\System32\drivers”

# Select-String -Path *.sys -Pattern “MFeS” -CaseSensitive | Select-Object FileName -Unique

The MFeS tag will show you the link with  mfeavfk.sys driver file which is from McAfee. In this case raise a case with McAfee and they will assist for a fix.

I hope you enjoyed the blog post ! Please do share if you liked it!

Please explore my other blogs in https://learn-inside.com/

Thank you!