Identifying and Plugging Windows memory leak

Identifying and Plugging Windows memory leak

The performance of your computer often curtails due to the reduced amount of memory available in it. Too much of the available memory gets allocated and as a result, all or part of the system or device stops its normal functioning.

The application you use fails and the system slows down unacceptably due to thrashing. Have you ever wondered why it happens? In our role as Outsourced Tech Support for web hosts, here’s how we fix it.

What causes Windows memory leak?

A Memory Leak is the cause to your problem, and majority of system crashes, occur as a follow up to it. A leak can occur in the User memory area or in the System memory area.

I will explain some steps that can be used to track Memory Leak. Before we get on with memory leaks, it’s necessary that you must have a clear understanding about the difference between virtual memory and physical memory.

Virtual memory is a computer system technique which gives the application, an impression that it has contiguous working memory, while in fact, it may be physically fragmented and may even overflow on to disk storage.

Almost all virtual memory implementations use page tables to translate virtual addresses seen by the application program, into physical address.

In the 32-bit Windows world, each application has its own 4GB virtual memory space. This means that each application functions, as if it has a flat 4GB memory, and the system’s “Memory Manager” keeps track of memory mapping.

Out of this 4GB virtual memory, 2GB is for user address space and 2GB goes for kernel address space.(Page table entries, Paged pool, Non-paged pool, System cache)

Non-paged pool data is an area in the system memory, reserved for objects that must remain in physical memory, as long as they are active. It is that portion of shared system memory that cannot be paged for the disk paging file. Non-paged pool memory can be accessed at any time without causing a page fault.

Paged pool is that area in the system memory, which is susceptible to paging. Such data is eligible to be written to a paging file on the hard drive, to make room for other data in the RAM.

[ Running a hosting business doesn’t have to be hard, or costly. Get world class Hosting Support Specialists at $9.99/hour (bulk discounts available) ]

Even when there is more than 4GB memory present, each process has the normal 2GB virtual address space and 2GB kernel address space, just as on a normal non-PAE(Physical Address Extension) system.

Consider a computer which has 512MB RAM. While a programmer develops an application allocating 4GB of space, another person can create a similar or new application allocating the same 4GB of space in the same machine.

Both applications can run at the same time without any issue whatsoever. The technique that makes this possible is called Paging.

An important point to jot down is that, the division of virtual memory space into user memory and kernel memory(Page table entries, Paged pool, Non-paged pool, System cache etc.), is a reflection of divisions in physical memory, although the value will be different and will depend on the amount of RAM installed.

For a system with 512 MB RAM

The amount of virtual and physical memory that is supported on any computer that runs Microsoft® Windows® operating system is determined by the hardware configuration and the edition of Windows.

Windows Server 2003 Standard 4 GB 4 GB

Web 4 GB 2 GB

Enterprise 4 GB 32 GB (If the hardware supports PAE)

Enterprise (64-bit) 16 terabytes 64 GB

Datacenter 4 GB 128 GB (If the hardware supports PAE)

Datacenter (64-bit) 16 terabytes 512 GB

A Memory Leak is caused by an application or by a process that allocates memory for use, but does not free the memory after the application or process finishes. Therefore, available memory is completely used over time.

” ….. the division of virtual memory space into user memory and kernel memory is a reflection of divisions in physical memory, although the value will be different and will depend on the amount of RAM installed …..”

It’s very common that, people misinterpret system load for memory leak. To avoid such erroneous calculations, monitor the system for a particular number of days.

Find out if the system runs with normal load and whether the spike is observed only during any particular period of the day.

[ Use your time to build your business. We’ll take care of your customers. Hire Our Hosting Support Specialists at $9.99/hr. ]

Memory Leaks are basically of two types:-

  1. User Mode
  2. Kernel Mode

USER MODE MEMORY LEAKS

Memory leak can occur in user address space of the physical memory(RAM); however this is not critical. Here, the main culprit is a particular application or a service.

If you suspect that a particular application or service is causing a memory leak, investigate the memory use of your application by using the following performance monitor counters:

Start the performance monitor tool as: Start -> Run -> “perfmon /low“.

Go ahead with the following counters:

MemoryAvailable Bytes = indicates the number of bytes that is available in the physical memory; The value of this counter tends to fall during a memory leak.

MemoryCommitted Bytes = indicates the number of bytes that is allocated by the processes: The value of this counter tends to rise during a memory leak.

Process(process_name)Private Bytes = indicates the number of bytes allocated exclusively for a specific process; The value of this counter tends to rise during a memory leak.

Process(process_name)Working Set = indicates the shared and private bytes allocated to a process; The value of this counter tends to rise during a memory leak.

Process(process_name)Page Faults/sec = indicates the total number of faults (hard and soft faults) caused by a process; The value of this counter tends to rise during a memory leak.

Process(process_name)Page File Bytes = indicates the size of the paging file; The value of this counter tends to rise during a memory leak.

[ You don’t have to lose your sleep to keep your customers happy. Our Hosting Support Specialists cover your servers and support your customers 24/7 at just $9.99/hour. ]

KERNEL MODE MEMORY LEAKS

This memory leak becomes a real issue, when the memory allocation without freeing allocated space, involves the non-paged pool. Here, the culprit can either be an application, or a service or even the driver.

In this case, the following events may be logged in the system log:

Event ID: 2020
Source: Srv
Description: The server was unable to allocate from the system paged pool because the 
pool was empty.

Event ID: 2019
Source: Srv
Description: The server was unable to allocate from the system non-paged pool because the 
pool was empty.

1) If you suspect that a particular application or service is causing a memory leak, investigate all the counters described above. In addition, use the following counter:

Process(process_name)Handle Count – Every time a program access a resource, it will return a unique identifier called handle. The value of this counter indicates the number of handles a application had opened on accessing the resource. The value of this counter tends to rise during a memory leak; however, you cannot rule out a leak simply because this counter’s value is stable.

DESCRIPTION OF HANDLE

MemorypoolNonpaged allocs: the number of calls to allocate space in non-paged pool.

Memorypoolpaged allocs: the number of calls to allocate space in paged pool.

Process(process_name)poolNonpaged bytes: bytes allocated by the process in non-paged pool.

Process(process_name)poolpaged bytes: bytes allocated by the process in paged pool.

2) If the memory leak is caused by any poorly written device drivers, we can track it by using a set of performance counters and a utility called Poolmon.(which comes along with Windows support tools)

MemoryAvailable Bytes: reports available bytes; its value tends to fall during a memory leak.

MemoryCommitted Bytes: reports the private bytes committed to processes; its value tends to rise during a memory leak.

MemorypoolNonpaged allocs: the number of calls to allocate space in non-paged pool; its value tends to rise during a memory leak.

Memorypoolpaged allocs: the number of calls to allocate space in paged pool. its value tends to rise during a memory leak.

Once you identify that the leak is caused due to a particular driver, an optimal solution is to update it. If the leak is caused by any faulty application, then it’s better that you remove or replace it.

Using Poolmon

Most of the drivers that we use are kernel mode, which means that they are directly loaded into the kernel memory(non-paged pool or paged pool). So, a poorly written driver can cause a memory leak by allocating space in the kernel memory and then not freeing it.

Each time a driver is loaded into the kernel memory, a pool tag will be assigned to the driver. This pool tag is specific to the driver that is loaded. A pool tag is a four-character literal associated with memory allocation.

Poolmon displays data that the operating system collects about memory allocations from the system’s paged and non-paged kernel pools.

By monitoring allocations associated with particular tags, you can tell which components are allocating memory and, more importantly, which components are failing to free the memory that they allocated, thus causing memory leaks.

Some useful options that can be used with Poolmon are:

P – Sorts tag list by paged, non-paged, or mixed. (Note that P cycles through each one.)

Q – Quit.

Note that the result of Poolmon lists only the pool tags and will not display driver names.

To find a pool tag that is used by a third-party driver:

1. Change to the system rootdrivers folder at a command prompt.

2. Run the findstr /m /l tag *.sys command.

If you receive multiple files, try to reduce the amount of files returned by adding the letter “h” to the tag before you run the search. This is mainly useful when the tag is comprised of three letters.

Note: When using pool tag, be sure to run it from the location where the support tools are installed.

My Say When I Conclude

Memory leak is a common issue that we see across. Once you identify that the leak is caused due to a particular driver, an optimal solution is to update it. If the leak is caused by any faulty application, then it’s better that you remove or replace it.

 


STOP SPENDING TIME ON SUPPORT!

Do you spend all day answering technical support queries?

Wish you had more time to focus on your business? Let us help you.

We free up your time by taking care of your customers and servers. Our engineers monitor your servers 24/7, and support your customers over help desk, live chat and phone.

HIRE SUPPORT SPECIALISTS AT $9.99/HR

Windows

2 Comments

  1. Great article. I didn’t realize the difference between non-page pool memory and page pool memory. I thought memory was memory. I guess it makes sense to have paging.

  2. Read your artical and opened up poolmon and started tracking the performance. I put in every performance monitor you suggested above and the only one that wasn’t peged at 100% was Process Page Faults/sec which was all over the place. It looks like I have a real problem but can’t tell what is actually causing the leak. This issue is runing on a MS Window 2003 enterprisse edition, SP2 server 4GB physical ram. Two processors 3.0 Mhz. Any ideas where to go from here. If I reboot all is gone until it happns again.

KEEP OUT MALWARE & HACKERS

Hackers

Security specialists will audit, update, patch, harden and monitor your server 24/7.

Starting at $69.99/month

SEE PLANS