I previously asked a question about a server that had a very high nonpaged pool memory utilization and someone explained how to use poolmon to track down the problem driver.
I did this, but I'm not sure I have identified the issue.
Running poolmon:
Now searching for fwpx I only got one "match":
dsac.exe? The AD administrative center is causing the memory leak?- that obviously can't be right, but that was the only match findstr found.
Googling the fwpx pool tag I can see some issues people had with the McAfee anti-virus product (but Symantec SEP is install on this server).
According to this Technet blog post the fwpx pool tag is the related to this driver: Fwpx - fwpkclnt.sys - WFP NBL tagged context
But if that is the case why didn't findstr locate it?
Then I googled more and found this kb: https://support.microsoft.com/en-us/kb/2885980
According to the kb the FwpsAllocateCloneNetBufferlist() API leaks memory- awesome.
But I'm still not 100% this is the issue. Before installing the hot-fix how can I confirm this problem is caused by this WFP bug? I would assume its SEP that is using the buggy WFP API. This makes sense because I saw McAfee users (another AV product that might be using the API) having similar memory leak issues.
But to be sure, how can I identify the program that is calling the WFP API- if that is what is actually even happening.