Recent RAM Issue with Windows 7 - Memory Slowly Fills Up

7

1

Before I say anything at all, I want you all to know where I've been with this issue:

  • I have run multiple AV scans, including: Malwarebytes, Sophos Virus Removal, ADWCleaner, ESET Smart Security 4 & Hitman Pro which did find some PUPs and remove them.
  • I have RAMMap, Windows WDK with Poolmon & Process Explorer installed.
  • I have updated all drivers, disabled all useless (aka unused/not needed) processes and services and restarted my computer multiple times over the course of yesterday and today (when the issue began).
  • Please, when I talk about this issue, don't tell me that unused RAM is wasted RAM as a valid answer to my issue. The issue is not that simple. When my RAM fills up, I experience performance issues and slowdowns of my system that I was not experiencing before, including the RAM being maxed out and system stuttering/performance issues when it is maxed out, forcing me to restart my computer.

Here are my System Specs:

Operating System: MS Windows 7 Ultimate 64-bit SP1

CPU: Intel Core i7 960 @ 3.20GHz 48 °C Bloomfield 45nm Technology

RAM: 6.0GB Triple-Channel DDR3 @ 534MHz (8-8-8-20)

Motherboard: ASUSTeK Computer INC. SABERTOOTH X58 (LGA1366) 35 °C

Graphics: NVIDIA GeForce GTX 670

Hard Drives: 2930GB Seagate ST3000DM001-1CH166 ATA Device (SATA) 30 °C

Audio: Realtek High Definition Audio (From Motherboard)

What I have found out using poolmon is that I have a driver or something else that is not releasing frees and is steadily increasing named "Proc".

Proc

As you can see, Proc has a whopping 10 frees and 46205040 bytes being used. And that number is always climbing.

What I have found from pooltag.txt (if anyone is reading this and is interested as to where to find this file, you can look here: Y:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\triage), is this description: "Proc - nt!ps - Process objects", which is pretty uninformative given the generic description. Either way, this issue seems to compound when I run a highly intensive process (such as World of Warcraft which normally takes up 1.6GB of RAM).

When that process is ended, RAM usage remain as if the program never closed. When I look at RAM map, sometimes over 1.5GB is remaining in standby. Even when I clear it in RAMMap, it does not clear it and that ram is not freed up to be reused.

Rammap

As you can see here, I have 2.9GB used (due to Firefox, Skype and a few other programs), but I have over 1.5GB in standby that is unused, and TaskManager & Process Explorer report that I'm using closer to 4GB.

One more issue that I've been noticing: I had updated my Ethernet Drivers due to some lag issues I was experiencing with my internet (had a modem replaced and then updated them). The problem went away. I left for Thanksgiving for about a week, at which time my computer was off. When I returned home, I noticed that process: "svchost -k LocalSystemNetworkRestricted", "svchost -k netsvcs" would at times be using over 500-700MBs of RAM, which I had never seen before. Right now it is sitting around 164MB, but I had not even seen it come up near that number before I left.

I looked over all the programs, uninstalled a few that I had installed before I left, then did virus scans which removed some more stuff, and even rolled back my Ethernet driver. The only updates I had for Windows 7 were for Windows Defender (which I have subsequently disabled). Yet this strange behavior remains.

In a nutshell:

  • Driver or System Resource "Proc" (full description: "Proc - nt!ps - Process objects") as shown in PoolMon.exe is steadily climbing in bytes used but is not freeing them, eventually maxing RAM and causing system instability and stutters
  • "svchost -k LocalSystemNetworkRestricted" & "svchost -k netsvcs" processes have increased usage in RAM, despite anything hardly changing in the system.

Please let me know if anyone can help me.

SuperJ

Posted 2014-12-01T07:58:42.117

Reputation: 101

2Will do. Not sure why this has been downvoted. – SuperJ – 2014-12-01T08:33:38.823

1@SuperJ Because of the misinformation you included in the question. Unused RAM is always wasted RAM. It cannot be saved for later. This is just a fact and saying it's "not true in this case" is nonsense. (I'm not sure why you thought that would help to troubleshoot what is likely a driver leak.) – David Schwartz – 2014-12-01T08:34:23.203

Or someone else could give SuperJ an upvote to reach 10 rep. :) – Peter – 2014-12-01T08:35:01.963

I think missunderstanding like this is not a reason for downvoting. – Kamil – 2014-12-01T08:35:21.707

1Then explain to me why my system halts when it hits 6.0 GB used when it only adds up to 2GB of ram used by my programs in Taskmanager and Process Explorer? The reason I say that is people shrug off this issue with that stupid answer, and its just not true because my ram is being USED, its just not being Freed afterward. – SuperJ – 2014-12-01T08:35:42.887

How do you know that 6GB is used if Task Manager shows 2GB usage? Or maybe you mean 2GB usage in your user processes? Have you tried "Show processes from all users" button? – Kamil – 2014-12-01T08:36:37.480

Kamil, meant that it only adds up to 2GB, not shows. My bad. – SuperJ – 2014-12-01T08:38:58.217

I did a stringsearch for Proc and it came up with over 100 different drivers. Heres just a taste. This is going to be hard:

Y:\Windows\System32\drivers>findstr /m /l Proc *.sys 1394bus.sys 1394ohci.sys acpi.sys adp94xx.sys adpahci.sys afcdp.sys afd.sys agilevpn.sys amdk8.sys amdppm.sys amdxata.sys appid.sys arc.sys arcsas.sys asyncmac.sys ataport.sys b57nd60a.sys blbdrive.sys bowser.sys BrFiltLo.sys bridge.sys BrSerId.sys bxvbda.sys cdfs.sys Classpnp.sys cng.sys crashdmp.sys csc.sys dfsc.sys dtsoftbus01.sys Dumpata.sys dxapi.sys dxg.sys dxgkrnl.sys dxgmms1.sys eamonm.sys ehdrv.sys – SuperJ – 2014-12-01T08:57:15.193

Please post the contents of the process and files tabs of RAMMap – DavidPostill – 2014-12-01T09:01:46.537

Answers

2

Edit: It seems I've solved my problem.

I'm going to go through this pretty detailed just in-case someone else may have the same issue at one time and finds this and it works for them.

I had ESET SmartSecurity 4 installed, as well as True Image Home 2013 by Acronis. I ended up using Driver Verifier (Just type in Verifier into your start bar. CAUTION: Can cause you to experience bluescreens if a driver is acting up. Please make a system restore point and have a Windows Recovery Disk handy to use or make sure you can get into safe mode and disable it via Commandline: verifier /reset).

So it detected a faulty driver after I disabled the Acronis TIB Mounter device, which is the device that mounts TIB backups in use with their "Before Boot" software which installs on your system and also seems to control all of the functionality of your USB drives as well, which I did not know. This driver which was from Acronis was called fltserv.sys (Located: C:\Windows\System32\drivers\fltsrv.sys). I ended up in an endless bluescreen loop, but also couldn't boot to Safe Mode because I had disabled the TIB mounter, which allows the program to control safemode boot (it does this I guess to be able to make a backup no matter what the status of your Windows Installation).

So I booted up my Windows Repair USB, and after about 2 hours of trying FIXMBR and SFC /scannow and other various things, I opened up Driver Verifier (do this by just typing verifier in the recovery CMD), just for kicks, to disable it. Since my recovery disk wouldn't let me access the Windows drive to just delete the .sys file, I figured I was out of luck at this point. I pressed the "Display information about the current verified drivers" button and hit next. I just decided to hit the "Add" button below the right pane, and what do you know, it pops open an explorer window which allows you to see .sys files. So I navigated to its path, deleted it, rebooted, and was able to login.

Afterward, I completely uninstalled Acronis True Image Home 2013 by using the Acronis Removal Tool (found here: http://dl.acronis.com/u/support/atih_cleanup_tool_s_e.exe Directions here: https://kb.acronis.com/content/34876).

Once that was done, I was having major CPU issues, so I uninstalled my ESET Smart Security, disabled Driver Verifier, and restarted. I installed Eset Smart Security 8, and everything seems to be good now. As far as I can tell, my memory is sitting pretty stable with Firefox and a few other programs open at about 2.7GB. I'll probably go over Poolmon again if I have issues.

Quite a journey. I'm not precisely sure if it was Acronis or ESET that was the culprit, but at least my issue is gone.

End Edit

@David

Here are the current running processes and the detailed ram usage from ProcessExplorer:

enter image description here enter image description here

Rammap Files enter image description here

Rammap Processes enter image description here

SuperJ

Posted 2014-12-01T07:58:42.117

Reputation: 101

1Added them to this post. Disabling datastore.edb in my virus protection did not help. – SuperJ – 2014-12-01T09:34:14.347

Very interesting. Definitely appreciate the followthrough! – Nanban Jim – 2015-10-05T20:10:58.470

0

I have over 1.5GB in standby that is unused

The 1.5GB you refer to is tagged Unused not Standby. This 1.5GB memory is Zeroed

  • Memory tagged Standby will be used when required.
  • Memory tagged Zeroed will be used when required.

Standby:

Pages of physical ram not actively being used. These are still left in physical ram but will be repurposed first by the memory manager (either returned to the active list or zeroed out and reused) if something needs physical ram for active pages. Standby pages are essentially cache – it’s better to have infrequently used data kept in RAM “just in case” than pushing it out to disk when the memory isn’t needed for anything else.

Zeroed:

Pages that have been zeroed out and are ready to be used – they can be quickly allocated for new physical memory allocations. You will usually only see a significant amount of Zeroed pages after a system is booted. After the system has “settled in” you will likely see these pages being put to good use somewhere on the Standby list as cache.

Source Introduction to the new Sysinternals tool: RAMMap

DavidPostill

Posted 2014-12-01T07:58:42.117

Reputation: 118 938

1Okay, so why are they not being re purposed then? Its filling up and using my RAM to the point where my system is unstable. – SuperJ – 2014-12-01T08:59:30.300

1If you look in the screenshot, it shows 1.7GB as "standby" which is not Zeroed. And its not being re-purposed. Its sitting there while my taskmanager reports over 4GB of used ram with only about 2GB that adds up in the current processes. And yes, I have had "Show Processes from all Users" checked forever. – SuperJ – 2014-12-01T09:02:20.900

6.3 (total) - 1.5 (unused) = 4.8 (used). Taskmanager (Current processes) is a different program to RAMMap and does not show (necessarily) the same things in the same way. Please read the link I gave you Introduction to the new Sysinternals tool: RAMMap and please post the contents of the process and files tabs of RAMMap

– DavidPostill – 2014-12-01T09:08:09.707

It seems that the culprit is the datastore.edb file, which seems to be the Windows Update history file. I just disabled the service but no change in Standby RAM. My ram has climbed to 4.2 Used. – SuperJ – 2014-12-01T09:20:56.733

PC Boots then writes giant datastore.edb file slowing the computer down – DavidPostill – 2014-12-01T09:23:22.963

Exclude c:\windows\SoftwareDistribution\Datastore\datastore.edb from your virus scanner ... – DavidPostill – 2014-12-01T09:24:48.170

Asked: 2014-12-01T07:58:42.117

Viewed: 3 174 times

Active: 2019-01-18T08:09:43.737