Windows 10 high memory usage (unknown reason)

Question

A few days ago I updated my PC to Windows 10. However, after some use my PC started to slow down until it was impossible to use – it was due to high memory usage. After a restart, everything came back to normal (total usage around 25% of 8GB of RAM). However, during a few hours of usage the memory builds up again to 70%, and if not restarted it further goes to 100%, and later on even freezes. Task manager does not help very much as it does not show all the processes (added screenshots below). Also tried RAMMap but it gives an error: "error refreshing database". I tried Googling this question, yet without much success.

I do not know much about PCs, but maybe some of you know this issue, or could help to find out what is using my RAM.

RAM usage 1

RAM usage 2

@AR provide a xperf trace. I need to look at the call stacks to see more. — magicandre1981, Aug 05 '15 at 15:23
I know this thread is solved - but a good first step is to disable hyper-v. that was the culprit in my case. — hypermails, Feb 03 '19 at 19:34
@hypermails hyper-v was my issue and using poolmon I still was unable to find the culprit. Disabled hyper-v and everything works fine again (cpu went from 60-90% to 30's). Downside is I cannot run docker at this time but at least my laptop is usable again for other daily activities. — IT_User, Jan 12 '21 at 20:15
@hypermails Disabling Hyper-V solved my issue too, many thanks. This could be an answer. — Nail, May 07 '21 at 09:52

score 154 · Accepted Answer · edited Dec 25 '20 at 07:26

154

You have a memory leak caused by a driver. Look at the high value of nonpaged kernel memory. In your case this is over 3.7 GB. You can use poolmon to see which driver is causing the high usage.

Install the Windows WDK, run poolmon, sort it via P after pool type so that non paged is on top and via B after bytes to see the tag which uses most memory. Run poolmon by going to the folder where WDK is installed, go to Tools (or C:\Program Files (x86)\Windows Kits\10\Tools\x64) and click poolmon.exe.

Now see which pooltag uses most memory as shown here:

enter image description here

Now open a cmd prompt and run the findstr command. To do this, open cmd prompt and type cd C:\Windows\System32\drivers. Then type findstr /s __ *.*, where __ is the tag (left-most name in poolmon). Do this to see which driver uses this tag:

enter image description here

Now, go to the drivers folder (C:\Windows\System32\drivers) and right-click the driver in question (intmsd.sys in the above image example). Click Properties, go to the details tab to find the Product Name. Look for an update for that product.

If the pooltag only shows Windows drivers or is listed in the pooltag.txt ("C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\triage\pooltag.txt")

you have use xperf to trace what causes the usage. Install the WPT from the Windows SDK, open a cmd.exe as admin and run this:

xperf -on PROC_THREAD+LOADER+POOL -stackwalk PoolAlloc+PoolFree+PoolAllocSession+PoolFreeSession -BufferSize 2048 -MaxFile 1024 -FileMode Circular && timeout -1 && xperf -d C:\pool.etl

capture 30 -60s of the grow. Open the ETL with WPA.exe, add the Pool graphs to the analysis pane.

Put the pooltag column at first place and add the stack column. Now load the symbols inside WPA.exe and expand the stack of the tag that you saw in poolmon.

Now find other 3rd party drivers which you can see in the stack. Here the Thre tag (Thread) is used by AVKCl.exe from G-Data. Look for driver/program updates to fix it.

The user Hristo Hristov provided a trace with a high FMfn usage during unzipping files:

The tag is used by the driver WiseFs64.sys which is part of the "Wise Folder Hider" program. Removing it fixes the leak.

The user Samuil Dichev provided a trace with a high FMic and Irp usage

The tags are used by the program Razor Cortex.

In the sample of the user chr0n0ss the FMic and Irp usage is caused by F-Secure Antivirus Suite:

Removing it and using Windows Defender fixed the issue for him.

edited Dec 25 '20 at 07:26

Pang

937
1
9
12

answered Aug 02 '15 at 06:28

magicandre1981

97,301
30
179
245

6

wow, thanks a lot for such a fast answer to the question that i thought i will never find one :) it seems that network drivers were causing the problem and after updating memory usage seems OK. Thanks again! :) – Lukas Aug 02 '15 at 07:36
@Lukas thank you for providing closure by reporting the solution! – Jamie Hanrahan Aug 02 '15 at 08:44
@Lukas which driver was it, which driver version have you used and which version fixed it? This may help other users, too. – magicandre1981 Aug 02 '15 at 15:50
3

This reminds me of a Mark Russinovich blog post. – Sun Aug 05 '15 at 16:18
1

I think the WDK download link you provide is for Win 8. The version for Win 10 is here: https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx – Travis Bemrose Aug 27 '15 at 19:44
the Win8 tools also work for Win10. But thanks for the hint. – magicandre1981 Aug 28 '15 at 04:11
1

findstr command does not return anything that could help me http://pasteboard.co/2HmQZYbN.png – Loenix Dec 07 '15 at 16:44
@Loenix Wfpn is from netio.sys (WFP NBL info container). Run the xperf command and analyze the usage in WPA.exe – magicandre1981 Dec 07 '15 at 16:48
I found mine was "xinputhid.sys", but it's from microsoft? what can I do? I'm running windows 10 and getting the "system out of memory" prompt, I upgraded from a windows 7, never got this in win7. – KoKo Aug 25 '16 at 13:35
@KoKo capture a xperf trace of the memory usage grow and share it – magicandre1981 Aug 25 '16 at 15:14
@magicandre1981 Getting an error when I run your xperf command: http://pastebin.com/E6sYnbJm – KoKo Aug 25 '16 at 16:01
@KoKo this must be on line with no line break – magicandre1981 Aug 26 '16 at 04:17
@magicandre1981 ok I replaced the "&&" with ";" and the command worked. Now I opened up the trace file with WPA.exe and loaded symbols, I'm lost on what to do next? I don't see something called AIFO anywhere. This is what I'm looking at: http://i.imgur.com/WNsxgAP.png – KoKo Aug 26 '16 at 16:28
@KoKo this is the wrong table. it must be "Pool Graphs" – magicandre1981 Aug 27 '16 at 07:29
@magicandre1981 I found "Pool Graphs" now, how did you get the "Type: AIFO"? when I add the "Pool Graphs" to analysis view, I don't get that. – KoKo Aug 28 '16 at 04:11
@KoKo do a right click and select "Type" and bring "Type" to the first position (drag & drop) – magicandre1981 Aug 28 '16 at 07:09
@magicandre1981 sorry but I have to ask again, what am I right clicking on to be able toe "select Type"? I right clicked on a few things but didn't see this option. – KoKo Aug 28 '16 at 16:07
@KoKo, click on "open view editor" – magicandre1981 Aug 29 '16 at 03:52
I have no Tools folder at `C:\Program Files (x86)\Windows Kits\10` and have installed both the Win 8 and Win 10 versions. I'm on 1703. You guys sure that's what provides poolmon? – rainabba Jun 24 '17 at 23:47
Finally found a copy at `C:\Program Files (x86)\Windows Kits\8.1\Tools\x64` – rainabba Jun 25 '17 at 00:01
You Sound Like Professional, Thanks A Lot, I found it was Samsung Rapid Mode That was taking that, turned it off. – Suraj Jain Jul 21 '17 at 09:21
@SurajJain nice to hear this. which tag was so high in poolmon? – magicandre1981 Jul 21 '17 at 14:47
1

NDbf Was high, then I found it was sumsungrapiddskfltr or something, I turned it off, it works good now. – Suraj Jain Jul 22 '17 at 04:25
@SurajJain have you captured a ETL file via xperf.exe? if yes, can you please share it, so that I can add this to the answer? – magicandre1981 Jul 26 '17 at 16:39
No, I was not able to capture, In your case when you expanded Thre there were so many names, But when I expanded mine, It was just null, So i was not able to move forward . – Suraj Jain Jul 27 '17 at 04:22
Also, can you correct your sentence "you have use xperf" to "you have to use xperf" . – Suraj Jain Jul 27 '17 at 04:27
Also I have few doubts ,Would You if possible chat little with me? – Suraj Jain Jul 27 '17 at 04:32
@SurajJain how did you see that the tag belongs to Samsung? Have you only used poolmon + findstr? – magicandre1981 Jul 27 '17 at 15:18
Also, checked the driver property to get its name, the driver was samsung rapid mode filter, I searched on the internet, and many were having same xact problem, and some even checked with poolmon, then I turned of the rapid mode. The problem then gets solved, Rapid mode reserves some memory to store ssd data to speed up. – Suraj Jain Jul 28 '17 at 01:15
@magicandre1981 this answer is very helpful to me, thank you very much. I followed the steps, I found that the problem was caused by fltMgr.sys(If I did the steps correctly), but I'm not sure what I should do next. could you kindly take a look at my Question at https://superuser.com/q/1263991/160304 and give me some hints if you are free? – SparedWhisle Oct 31 '17 at 03:56
This helped us to find out a particular version of "Intel Rapid Storage Technology" is causing memory leaks within one of our clients. After removing, the constant 80% memory usage was solved! – user2924019 Dec 08 '17 at 13:16
@user2924019 nice to hear that it helped you to fix your issue – magicandre1981 Dec 08 '17 at 15:37
And there you go, "Century"!!! – Abhineet Jun 26 '18 at 05:09
Thank you very much, after removing a RAID system of two disks, I found out that about 4 GB more memory used by the drivers and with your information I found out the reason of the problem as "Intel Rapid Storage Technology". Honestly I was thinking the Nvidia drivers were the problem. Disabled it from the BIOS and now I have reclaimed back 2.8 GB. – Serdar Yalçın Nov 17 '19 at 21:09
Hi! Sorry for necroposting, but what should I do if I get "n/a" stack? https://imgur.com/a/05PtonK Even after clicking "Trace > Load symbols". Both FMic and Irp tags leak for unknown reason:( – mega.venik Aug 24 '21 at 07:20
@mega.venik they were allocated outside the trace so no stack was captured. Expand the part where you see the stack to look for 3rd party drivers – magicandre1981 Aug 24 '21 at 08:23
@magicandre1981 but the Root stack is only 0,045 Mb in size - doesn't look like a problem spot. Or how do I find issue there? – mega.venik Aug 24 '21 at 10:53
@mega.venik to get larger sizes you would need to trace it longer (you only captured 5 seconds), but this is a good start point. – magicandre1981 Aug 24 '21 at 12:14
@mega.venik have you tried to capture a longer trace (3-4 minutes)? What do you see in Stack? – magicandre1981 Aug 27 '21 at 16:39
@magicandre1981 sorry for my silly questions, but how do I take longer snapshots? The command above stops working in a second. I've tried to find xperf man, but there's nothing about time. Increasing -MaxFile param also doesn't help – mega.venik Sep 01 '21 at 09:57
@mega.venik the command waits for pressing a key to stop. replace the -1 after timeout to 300 to capture 5 minutes – magicandre1981 Sep 01 '21 at 13:13
So... this finally let me identify that the cause of the MASSIVE memory leaking plaguing my computer. In my case (as for Samuel), it was caused by the [Razer Cortex](https://www.razerzone.com/eu-en/cortex) program. It was gobbling a ridiculous **15-19GB of physical memory** on my 32gb PC, after having been on for about a month (I put it in sleep mode at night). Uninstalling it reduced the "Nonpaged Pool" in RamMap from 19.8gb to 5.3gb, and it'll likely go lower still after a restart (hence the 15-19gb range). – Venryx Nov 11 '21 at 08:26
1

By the way, for people who don't want to install the whole Windows WDK just to install poolmon, or who prefer a GUI-based program rather than console-based, you can use [PoolMonX](https://www.majorgeeks.com/files/details/poolmonx.html) instead. Worked great for me, with a small download size and better user-experience. (I got the same high-usage from `FMic` and `Irp` as Samuel did, hence my guessing it was caused by the same Razer Cortex program -- which apparently was correct given the huge memory-usage reduction that its subsequent uninstall achieved.) – Venryx Nov 11 '21 at 08:29
Dear @magicandre1981 would you kindly have a look at my WPA [screenshots & zipped ETL](https://pixeldrain.com/l/TFJXoYoc) (captured as described in your answer)? I experience **paged pool** leak growing in `Pp` tag and never released when any audio is playing through built-in speaker on my laptop. PoolMon reports ±122880 bytes grow rate (when invoked via `poolmon.exe /p /p /b`) when sound play. The only thing that helped so far is uninstalling primary audio device (disabling doesn't help even though no audio is actually playing) & I don't use any software components, only bare drivers… – bananakid Feb 26 '23 at 20:05
In addition to previous comment: the `strings * | findstr Pp > C:\Output.txt` for my system returns only `C:\Windows\System32\drivers\cht4vx64.sys: Pp` and `C:\Windows\System32\drivers\dxgkrnl.sys: Pp`. [Strings](https://learn.microsoft.com/en-us/sysinternals/downloads/strings) is the tool to lookup tags in drivers. – bananakid Feb 26 '23 at 20:50
1

@bananakid in the trace the PR usage comes from AppleUSBVHCI.sys. So an USB driver from Apples bootcamp. I never used Apple hw and never used bootcamp so I have no real idea how to fix this. – magicandre1981 Feb 26 '23 at 22:24
**Thank you** for looking into this @magicandre1981, I appreciate your expertise **a lot**! Please elaborate on my case: 1) do I read correctly that `ntoskrnl.exe` stacks are in `Pp` tag "by default", `Wdf01000l.sys` is in `Pp` tag because some device driver is actually working and `AppleUSBVHCI.sys` is that driver that's using `Pp`? 2) is the right way to spot that allocated memory pages never released is to turn on `FreeTime` WPA column and see that my pages have `FreeTime` all exactly `9,223,372,036.x` (seconds I guess, so it's 292,47 years, [screenshot](https://pixeldrain.com/l/TfUu3ZyT))? – bananakid Feb 27 '23 at 11:40
1

WDF stands for Windows Driver Frameworks and the Apple driver is developed with it. From the stack you can see it calls [IoGetDeviceInterfaces](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-iogetdeviceinterfaces) which results in allocating memory. – magicandre1981 Feb 27 '23 at 19:27
@magicandre1981 thank you for explanation! After some research I find my second question to be incorrect or the answer may be unknown. Large number in `FreeTime` may represent just memory block was never released during recording and I don't have "healthy" paged pool driver usage data by hand for comparison. Analyzing process leak simulation provides the `FreeTime` of unreleased leak to be the total time of recording using `xperf`, so maybe `xperf` report it differently for drivers or some tags. – bananakid Feb 28 '23 at 12:50

score 30 · Answer 2 · answered Aug 15 '15 at 11:50

30

this guy might have a Killer Networking (previously Bigfoot networking) brand network card.

Was going crazy trying to figure out why I had a massive memory leak and even did a completely clean install and immediately after installing I had a memory leak. Of course I installed my network drivers and video card drivers but that was it.

I searched Google... Found this thread saying it was his network driver then googled "killer memory leak" and saw hits for that and found it was the killer app itself and not just in windows 10.

Now I'm golden... So if anyone else has this issue and they have one of the many gaming boards or laptops that have a killer NIC you can probably just disable the killer app from starting. But what I did was completely uninstall the ASROCK provided driver and then installed the latest driver only package from the official killer networking site. It's the smaller ~30mb download. If your download is closer to or more than 100mb then you got the wrong one.

You'll loose everything that makes the killer stand out (it's QoS software) but that's what a good router is for in the first place... Especially since the killer app only handles the QoS of applications running on your PC and does nothing for your network as a whole.

answered Aug 15 '15 at 11:50

GivMeDew

427
3
2

1

Would have been better to confirm they did. Once they confirmed it then submit an answer. Even if you did that this answer does not explain how to solve the problem. – Ramhound Oct 18 '15 at 00:38
2

thanks a lot for you answer. it saved me lots of time. I had the same problem. After reading your answer I just uninstalled Killer app and then only installed the network drivers. Now my windows 10 is working perfectly. – Buju Dec 13 '15 at 14:58
1

You saved me, thanks!. I uninstalled the whole Killer suite, and only installed the drivers. Now at startup, my ram usage is 25% (2GB) vs 50%~60% before. – nikoskip Dec 27 '15 at 20:13
Than you so much!!! – srchulo Oct 07 '16 at 05:55
Yep, same issue for me, years later with an old version installed. Amusingly the company claims to have addressed the issues:"Some users have reported memory leaks with some versions of our performance suite. The current version of the Killer Control Center has no known instance of memory leaks..." https://support.killernetworking.com/knowledge-base/killer-control-center-memory-leaks/ – csrowell Jan 22 '21 at 03:37

Travis Bemrose · Answer 3 · 2016-08-19T03:55:20.993

The accepted answer by magicandre1981 is the correct answer to this problem, if the RAM usage continues to climb to 100% then there's most likely a memory leak.

However, if you've come to this page because Windows 10's memory usage is high but remaining steady (like in the 60%-90% range), you probably don't have a problem. Windows 10 uses RAM more effectively than past versions. This is because unused RAM is wasted RAM.

Modern operating systems have long swapped infrequently used memory data to a pagefile on the hard drive in order to free up RAM for more frequently needed memory data. (My Win 10 system has 8GB RAM and a 12GB pagefile.) However, it is slow to retrieve this data back from the drive, and Windows 10 will compress infrequently accessed memory and store it in the system process (in the RAM). It's faster to uncompress this data than it is to retrieve it from the hard drive (even an SSD). Just because your RAM is mostly full, does not mean you won't be able to run more things, if more RAM is needed then Win 10 will move some of this compressed memory to the pagefile to free up RAM for new applications.

If you constantly find your system process is using more than 1GB RAM (like I do) than you probably have too many browser tabs open (like I do). An extension like OneTab can help.

no, the cache is shown as standby/Cached in Taskmgr. The Win10 Taskmgr compression shows as Working Set usage in SYSTEM process. I already explained this here: http://superuser.com/a/952142/174557 — magicandre1981, Jun 06 '16 at 15:25
@magicandre1981 What are you saying 'no' to? I don't see a disagreement. — Travis Bemrose, Jun 06 '16 at 18:28
I've found that Windows 10 still aims to keep memory usage below 60%, and any more than this it starts to page. We have alerts on 1000+ devices for when memory usage goes above 80% and the PC's really do start to slow down. Windows 10 may manage it better, but it's also better to keep a large portion of memory free, ready for other processes to use when needed, otherwise, it would have to write back to the disk before freeing up memory which is slow. — user2924019, Dec 08 '17 at 13:21

score 1 · Answer 4 · answered Apr 16 '20 at 13:56

Received this answer out of band from "coolie91", posting it here, basically "it could be adware":

Today, I was able to fix it for good by following the instructions in this link:

https://www.bleepingcomputer.com/virus-removal/how-to-remove-adware-on-a-pc

The fix: Basically, a whole bunch of malware and extensions had hijacked common programs and riding on them, buried deep inside rootkits and all. They were almost impossible to detect and remove.

This seems to have worked for me as my memory still is ~ 41% after running for almost 2 hours (Phew!!!) Before, I had to reboot every 45 minutes.

Windows 10 high memory usage (unknown reason)

4 Answers4

Linked

Related