Over many years the NTDebugging Blog has actually published a number of articles about pool memory and share leaks. But wen’t taken a comprehensive approach to comprehension and troubleshooting pool memory consumption. This upcoming number of articles is going to handle share leakages from fundamentals to advanced troubleshooting methods. All the instances will use the Microsoft windows Sysinternals tool NotMyFault to build a leak so our visitors will be able to reproduce the described behavior and duplicate the troubleshooting measures.
We need to start by understanding just what pool is and exactly how its used. Pool is virtual memory that is used by motorists in quite similar way individual mode programs use heap. a motorist creator calls ExAllocatePoolWithTag to obtain a block of memory you can use in much the same way a user mode programmer would utilize memory returned by HeapAlloc or malloc. The memory manager, that will be in charge of managing pool, is able to efficiently handle small allocations by taking a page of virtual memory (typically 4KB) and breaking it into smaller blocks. The memory manager can also be able to allocate share in blocks larger than a typical page. There are two kinds of pool a developer can request from ExAllocatePoolWithTag, paged share and nonpaged share. As the names suggest one kind of pool memory may be paged away, additionally the various other can't be paged. Paged share is employed for the majority of allocations, nonpagedpool is employed for memory which will be written or look over at an IRQL of DISPATCH_LEVEL or above.
Pool leaks take place whenever a motorist calls ExAllocatePoolWithTag but never ever calls the corresponding ExFreePool or ExFreePoolWithTag program. A leak is significantly diffent than simply large memory usage, that might occur in normal circumstances as load increases. Like, the srv.sys motorist creates work products for inbound needs, and when discover a great deal of SMB visitors to a server the pool consumption from srv.sys may increase to take care of this traffic. Often the differentiation between a leak and high memory consumption because load is that a leak never ever decreases. Memory use which load relevant should decrease whenever load is decreased. Monitoring is needed to separate between both of these scenarios. Efficiency Monitor (aka perfmon) is normally the best tool to begin these types of a study.
The manifestation of a pool leak is usually bad system performance if the system operates out-of share, or on 64-bit methods the pool can start to consume a lot of the offered memory. This symptom makes perfmon an ideal tool to begin troubleshooting as it can be used to identify a wide variety of potential causes of poor performance. Perfmon is most readily useful when it's begun before a system comes into a situation of bad overall performance in order that trend data are reviewed prior to the problem.
You need to use the under instructions from an elevated command prompt to get perfmon data from these types of a scenario.