2: Use Sysinternals strings together with findstr. To do that, I use one of two methods: 1: Do an internet search for the pool tag. we have identified the pool tag, now we have to look for the driver that owns it.
The “Cont” tag relates to “Contiguous physical memory allocations for device drivers”, and is usually the largest tag on a normal system.Īnd this screenshot is from the server with the non-paged leak:Īs you can see, the LkaL tag is using more than 1GiB on its own, accounting for half of the pool. The same view as above, after pressing “P” and “B”: The important ones are “P”, to view either paged or non-paged pool tags, and “B”, to list the ones using the most of it at the top. S – Sorts tags by the differences of allocs and frees. T – Sort tags alphabetically by tag name.Į – Display Paged, Non-paged total across bottom. P – Sorts tag list by Paged, Non-Paged, or mixed. To investigate further, you have to fire up poolmon.exe. Kernel leaks in the OS itself are very rare, unless you are running some sort of beta version of Windows. Kernel leaks are usually caused by a driver. Scott Hanselman has blogged about that here: Analysis Note: To show the pool limits, you have to enable symbols in Process Explorer. You should of course baseline this to make sure you actually have an issue, but generally speaking, every time I find a Kernel memory value above 1GiB I go hunting for the cause.
Even though the pool limit is 128GIB and the server has a whopping 256GIB of RAM, the kernel memory pools are usually way below the 1GiB mark. In this sample, the non paged pool has grown to an unhealthy 2,2GB, and continues to grow. Screenshot from Process Explorer’s System Information dialog: Something is causing the kernel paged or non paged pools to rise uncontrollably. You can just copy the executable from the machine where you installed the WDK. You only have to do this once though, as there is no need to install the WDK on every system you analyze. exe is not available as a separate download, you have to download and install the entire 500+MiB WDK somewhere to extract it. You also need Poolmon.exe, a small utility currently part of the Windows Driver Kit. In this post I mostly use the amazing Sysinternals tools for troubleshooting. I have had several issues in the past year involving kernel memory leaks, so I decided to make a separate blog post about general kernel memory leak analysis.
0 kommentar(er)
