2

I previously asked a question about a server that had a very high nonpaged pool memory utilization and someone explained how to use poolmon to track down the problem driver.

I did this, but I'm not sure I have identified the issue.

Running poolmon: enter image description here

Now searching for fwpx I only got one "match": enter image description here

dsac.exe? The AD administrative center is causing the memory leak?- that obviously can't be right, but that was the only match findstr found.

Googling the fwpx pool tag I can see some issues people had with the McAfee anti-virus product (but Symantec SEP is install on this server).

According to this Technet blog post the fwpx pool tag is the related to this driver: Fwpx - fwpkclnt.sys - WFP NBL tagged context

But if that is the case why didn't findstr locate it?

Then I googled more and found this kb: https://support.microsoft.com/en-us/kb/2885980

According to the kb the FwpsAllocateCloneNetBufferlist() API leaks memory- awesome.

But I'm still not 100% this is the issue. Before installing the hot-fix how can I confirm this problem is caused by this WFP bug? I would assume its SEP that is using the buggy WFP API. This makes sense because I saw McAfee users (another AV product that might be using the API) having similar memory leak issues.

But to be sure, how can I identify the program that is calling the WFP API- if that is what is actually even happening.

Community
  • 1
red888
  • 4,069
  • 16
  • 58
  • 104
  • according to the pooltag.txt from the SDK, the fwpx tag belongs to fwpkclnt.sys (Fwpx - fwpkclnt.sys - WFP NBL tagged context). We need to capture a xperf trace of the pool usage **GROW**: http://pastebin.com/fvugmGtP. The Win8.1 SDK works on Server 2008R2, but not for the original 2008. Here you have to use the Windows 7 SDK. – magicandre1981 Jun 24 '15 at 15:53
  • 1
    have you captured a trace? If you can't share it, follow this guide: https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-48-WPT-Memory-Analysis-Pool – magicandre1981 Jun 30 '15 at 15:50
  • any progress? does the hotfix fixes the issue? or have you captured the trace? – magicandre1981 Jul 11 '15 at 05:38
  • Didn't have time to do a trace (but useful info). Just installed the patch and confirmed it was no longer leaking memory – red888 Jul 11 '15 at 08:53

1 Answers1

1

Didn't have time to follow what magicandre1981 suggested, but was able to confirm that the patch solved the issue. Maybe this will be helpful to others that have a similar memory leak issue.

Another thing we noticed: running a full Windows update seems to include this fix, but in some other patch. After we ran a full windows update on another server with this issue (instead of applying the specific patch) the patch would not install throwing a very unhelpful "this patch does not apply to this platform" sort of error. It turns out this issue was resolve in some other update.

So I guess applying the patch or making sure the server is completely updated will solve the FwpsAllocateCloneNetBufferlist() API leak.

magicandre1981
  • 1,110
  • 2
  • 10
  • 20
red888
  • 4,069
  • 16
  • 58
  • 104