Why is process monitor taking up 2+ gb of physical memory?

I am trying to hunt down a rogue process that is locking a file in a specific directory which is preventing a log being appended to. This locking happens about one to three times a week, so needless to say I want ProcMon to run for a long time unattended.

Unfortunately, about once an hour ProcMon will start steadily increasing it's memory usage past 2 gb. At this point I do a "Clear Display" and the memory used goes back to ~200 mb.

I have "Drop Filtered Events" turned on.
I have a backing file set to a file on my desktop (which oddly enough never changes from 4mb).
I have the filtering set so that it includes only processes hitting that directory.
I also exclude the 3 processes that should be accessing that directory.

As a side note, when going into the "Process Monitor Backing Files" dialog, this is displayed:

ProcMon load: 100.0% @ p-1717994043 (2,210,277,644...

ddechant

Posted 2011-06-29T21:15:08.230

Reputation: 21

Answers

To reduce memory usage for long captures, there is a way to tell ProcMon to store its captured data to a file instead of in virtual memory.

Just use the "File --> Backing Files..." option and change the backing file(s) from "Use Virtual Memory" to "Use file named" and specify a file on a fast disk with plenty of free storage.

ProcMon will then write out capture data to the specified file instead of buffering in virtual memory.

Chris Kline

Posted 2011-06-29T21:15:08.230

Reputation: 153

1Another addition would be to use "Filter -> Drop Filtered Events". Its weird, but it actually drops UNfiltered events from the file/page file. – Rahly – 2018-05-27T04:35:46.747

Drop Filtered Events only filters them... They are still collected...

...However, 2 GB is an awful lot, on my machine, it takes around 5MB of memory. Are you sure you are looking at the correct statistic?

Process Monitor collects a hell of a lot of information every second, and it does store lots of data in the pagefile... if this is low, it may be using your memory.

Unfortunately, I do not think there is anything you can do about this apart from increasing the size of your pagefile.

William Hilsum

Posted 2011-06-29T21:15:08.230

Reputation: 111 572

I'm pretty sure I'm looking at the correct statistic considering how quick my Free Physical Memory goes down in Task Manager when the spike starts. I mentioned above that I am not backing using the page file. I imagine that means the pagefile usage would be minimal. – ddechant – 2011-06-29T21:51:18.603

I didn't understand that part... I have never done that and it is most likely the cause... – William Hilsum – 2011-06-29T22:13:21.230

Thing is, it does it regardless of my backing file setting. – ddechant – 2011-06-30T16:04:22.717

How big is your pagefile? – William Hilsum – 2011-06-30T16:59:46.200

The file itself is at 17gb. Task Manager reports using 1.6gb / 24.9gb – ddechant – 2011-06-30T17:56:38.263

1.6GB/24.9GB is not a lot.

When I use Sysinternals Process Monitor to monitor all IO activity when installing a large program and I leave all the filters off, so everything is captured, RAM & pagefile usage goes through the roof after some time.

For instance, I am having it monitor the install of the huge program that is Visual Studio Community 2015. It has been going for about an hour and my pagefile is 47.8GB used out of 55.6GB pagefile size. Luckily I have an SSD so the system is still usable, though very slow.

When I go to the 'details' pane of Task Manager (Windows 8+), for procmon64.exe it shows Working set(memory) hovering between 60-90MB. Commit size is about 375MB. So Task Manager does not show the huge page file usage procmon64.exe is using, interesting.

After some time, when the install was finally finishing many hours later (thanks to constant pagefile swapping to/from the SSD, and VS 2015's installer is very very inefficient), procmon64.exe's working set(memory) was ~700MB and Commit Size was 821MB. Under 'Performance' tab -> 'Memory' 'Committed'; 73.4GB/89.5GB, my SSD was running out of space with a 90GB pagefile! Procmon64.exe had recorded a bit over 120 million events. The saved .pml file was at 62GB , though 7z compressed to 3GB.

This program can really eat up pagefile space, be careful. A few pics. http://imgur.com/a/kcgJk

danwat1234

Posted 2011-06-29T21:15:08.230

Reputation: 37