Windows 10 Memory Leak

2

4

I've had a memory leak issue with Windows 10 for about a year now, but I really want to fix this now as it is having a sizable impact on my work.

As you can see from the picture below, I have 8GB of RAM. 92% of it is in use, even though the applications don't exceed 1GB.

I upgraded from Windows 7 Pro 64-bit to Windows 10 last year.

Ask for more details, I don't know what else to provide. I'm at a loss as to what could be causing this.

Details

Shyy Guy

Posted 2016-12-26T18:56:26.733

Reputation: 147

have you tried my steps to see what causes your memory usage? – magicandre1981 – 2017-01-12T21:35:00.560

Sorry, not yet. I had to wait until I could download the necessary software since my data is restricted. I'll mark yours as the correct answer, as I'm confident it'll work well. – Shyy Guy – 2017-01-12T22:40:26.503

Possible duplicate of Windows 10 memory leaking

– DanHolli – 2017-01-15T00:40:29.247

I've updated my answer to trace the pool usage – magicandre1981 – 2017-01-19T16:49:23.447

any update? have you extended the stack of the 4 tags? do you see anything useful? if not, zip the ETL and share (onedrive share link) the zip – magicandre1981 – 2017-02-05T08:14:48.240

Answers

9

1 large part of your high memory usage (2GB) comes from a high Page table usage.

enter image description here

To see which processes use it, install the Windows Performance Toolkit which is part of the Windows 10 SDK, open a command prompt as admin and run this command:

wpr.exe -start ReferenceSet -filemode && timeout 5 && wpr.exe -stop C:\MemUsage.etl

Open the MemUsage.etl with Windows Performance Analyzer (WPA.exe), expand the memory entry

enter image description here

drag and drop the graph ResidentSet from the left graph list to the analysis pane:

enter image description here

Now move the Page Category column to the left side and expand the Page Table entry:

enter image description here

Here you see the processes which have the high pagetable usage. On the right site (after the blue line), you see page table memory usage in MB for each process.

Also the combined (non-)paged pool usage is nearly 2GB.

Install the WDK, Run poolmon (C:\Program Files (x86)\Windows Kits\10\Tools\x64\poolmon.exe), sort the data via P after pool type so that non paged/next time paged is on top and via B after bytes to see the tag which uses most memory.

Now look which pooltag uses most memory as shown here:

enter image description here

Now open a cmd prompt and run the findstr command. To do this, open cmd prompt and type "cd C:\Windows\System32\drivers", without quotes. Then type "findstr /s __ .", where __ is the tag (left-most name in poolmon). Do this to see which driver uses this tag:

enter image description here

Now, go to the drivers folder (C:\Windows\System32\drivers) and right-click the driver in question (intmsd.sys in the above image example). Click Properties, go to the details tab to find the Product Name. Look for an update for that product.

Fixing both issues could get nearly 4GB back.

Based on your screenshot on stackoverflow, 4 tags (VoSM, FILE, Ntfx and Proc) which belong to Windows functions.

Copy/paste this text to a new txt file and rename it to PoolTagLeak.wprp

<?xml version="1.0" encoding="utf-8"?>
<WindowsPerformanceRecorder Version="1.0" Author="MagicAndre1981" Copyright="MagicAndre1981" Company="MagicAndre1981">
  <Profiles>
    <SystemCollector Id="SystemCollector" Name="NT Kernel Logger">
      <BufferSize Value="1024" />
      <Buffers Value="1024" />
    </SystemCollector>
    <SystemProvider Id="SystemProvider">
      <Keywords>
        <Keyword Value="Pool" />
      </Keywords>
      <Stacks>
        <Stack Value="PoolAllocation" />
        <Stack Value="PoolAllocationSession" />
      </Stacks>
      <PoolTags>
        <PoolTag Value="VoSM"/>
        <PoolTag Value="File"/>
        <PoolTag Value="Ntfx"/>
        <PoolTag Value="Proc"/>
      </PoolTags>
    </SystemProvider>
    <Profile Id="PoolUsage.Verbose.File" Name="PoolUsage" Description="Pool usage Tag 'Leak' " LoggingMode="File" DetailLevel="Verbose">
      <Collectors>
        <SystemCollectorId Value="SystemCollector">
          <SystemProviderId Value="SystemProvider" />
        </SystemCollectorId>
      </Collectors>
    </Profile>
    <Profile Id="PoolUsage.Verbose.Memory" Name="PoolUsage" Description="Pool usage Tag 'Leak'" Base="PoolUsage.Verbose.File" LoggingMode="Memory" DetailLevel="Verbose" />
  </Profiles>
</WindowsPerformanceRecorder>

Now run wpr.exe -start C:\PoolTagLeak.wprp && timeout 600 && wpr.exe -stop C:\PoolusageUsage.etl and try to repro the usage grow.

Drag & Drop the Pool Graph to the analyze pane, order the columns to Type, Pooltag, Stack.

enter image description here

Now go to AIFO (allocated inside, freed outside, so this is a possible leak), find your 4 tags and expand the stack to see which functions do this tag use. Based on the names of the functions you can see the "cause". In my demo, the Thre tag (Thread) is used by AVKCl.exe from G-Data because it starts a lot of threads. Look for driver/program updates to fix it.

magicandre1981

Posted 2016-12-26T18:56:26.733

Reputation: 86 560

@ShyyGuy in win10, ReferenceSet works, you used an old WPT version – magicandre1981 – 2017-01-19T05:41:40.623

@magicandre1983, did it. The highest values are EtwB at 1023MB, File at 79MB, VoSm at 36MB, Proc at 12MB, etc.

For EtwB, it's giving me an N/A under the stack column. I tried searching for it in the drivers folder, but no results. – Shyy Guy – 2017-01-19T19:00:54.137

ignore this ETWb one, this is used to capture the trace by wpr – magicandre1981 – 2017-01-19T19:13:06.920

My Page Table is now 12GB big and in ResidentSet I can see it's all taken by process "Unknown" (-1). Any ideas how to identify the real source? The poolmon didn't find anything big. – icl7126 – 2017-02-05T12:55:32.333

1@icl7126 do some trial & error to see which program causes it. I know that Lenovo "RapidBoot Shield" causes it. – magicandre1981 – 2017-02-05T17:25:43.387

Fixed, thanks, it was one of these: Razer Synapse, Paragon Hard Disk Manager, Qualcomm Atheros Client, UNi Xonar Drivers, PC Connectivity Solution, Nokia Driver, WinPcap, Nvidia PhysX, Logitech Webcam – icl7126 – 2017-02-08T10:13:53.373

@icl7126 can you test this more until you see which one causes it. I would like to know which process in detail causes it. – magicandre1981 – 2017-02-08T16:29:28.457

I'm not sure it's possible. Somehow there is no restore point created in my system (very odd). And those apps were quite old, some of them I installed in my Windows 8 many years ago and then they persisted through upgrades to 8.1, 10, 10-au. But if you really need to know, I will try some of those I still have installers for. – icl7126 – 2017-02-08T16:55:44.943

@icl7126 it would be nice to know this, if some other users have the same issue and say "hey, I also use tool xyz" so that they can remove it and fix it. – magicandre1981 – 2017-02-08T16:59:24.413

Asked: 2016-12-26T18:56:26.733

Viewed: 2 387 times

Active: 2017-01-24T19:41:29.480