0

I'm facing a memory leak issue with Windows 10. I've got 4 GB physical memory which is mostly occupied by "nonpaged pool" according to RamMap, which sadly cannot be attributed to any single process. Generally, the processes in task manager don't add up to resource usage of such scale (biggest processes have two-figure MB private memory). And it gets worse with growing uptime. Alas, this computer is running in an industrial environment and normally has to be running continuously. Presently, it locks up every few weeks and has to be reset manually.

As per magicandre1981's detailed answer to this question, I identified the tags FMic and Irp as the main offenders using poolmon (see image).

After using xperf to record a few minutes of data, in Windows Performance Analyser, the most memory usage under those tags is in the Stack level "n/a" by process "Unknown" (see image).

The memory allocations under both tags consist of 1 KB chunks or smaller, roughly 600 each (FMic, Irp detail).

I think it's beyond dispute that there is a memory leak in this system. What else could I try to isolate the offending process or driver?

Thanks and best regards

Björn

EDIT 2018-07-11: Captured the following using WPA.

Highest level showing 350 MB spent by one path

Expansion yields two 100 MB offenders

Expanding the first shows many small allocations

If the detail isn't deep enough, I can provide the ETL after a little setup work (two days download link).

The offending processes seem to be from "F-Secure Client Security" (memory leak?). Can I do anything else about it, other than complaining to F-Secure?

EDIT 2018-07-16: After removing F-Secure (using Windows Defender now) several days ago, the nonpaged pool is stable at about 200 MB. Problem solved, it seems.

chr0n0ss
  • 47
  • 1
  • 5
  • 1
    expand the Stack entry [Root] for the tag. N/a means grow did not happen during capturing so no stack. – magicandre1981 Jun 28 '18 at 18:44
  • Unfortunately, the [Root] entries are small enough altogether. So, if I understand right, I'd just have to capture longer to get meaningful entries under root? Thanks, I'll try that. – chr0n0ss Jun 29 '18 at 05:13
  • 1
    [download this WPRP file](https://www.dropbox.com/s/886sft1bgc1re34/PoolTagLeak_FMic_IRP.wprp?dl=0) run **wpr -start C:\PoolTagLeak_FMic_IRP.wprp** . capture 5-6 minutes and run **wpr.exe -stop C:\pool.etl**. This only captures stacks of the 2 tags, so the file is smaller and you can run it longer. – magicandre1981 Jun 29 '18 at 14:43
  • Many thanks for the profile. A few minutes of capture didn't enlighten me much, I'm currently trying to run it longer. From RamMap, it seems the nonpaged pool grows between 50...100 MB per hour; I'd suppose a longer capture may make a clearer picture. – chr0n0ss Jul 03 '18 at 08:39
  • A 50 min capture showns no apparent "violator"; trying a longer capture. – chr0n0ss Jul 05 '18 at 05:27
  • this should include enough data. show a picture or share the (zipped) ETL. – magicandre1981 Jul 09 '18 at 15:40
  • Thanks for bearing with me. I've had the capture running for about two days, yet the ETL file seems to contain less. Adding the images to the question. – chr0n0ss Jul 11 '18 at 13:37
  • ok, you found the cause. It is the F-Secure Management Agent dll. So update F-Secure and if this doesn't help, remove it. if the issue is gone, report it to support and try a different 3r party Antivirus suite if Defender is not enough for you. – magicandre1981 Jul 11 '18 at 15:40
  • Great, thanks again for the help! F-Secure is company policy -- I'll raise an internal ticket and ask them to forward it to F-Secure. I'll report back if I hear news. – chr0n0ss Jul 12 '18 at 05:21
  • do other deices in your company suffer the same issue if all use F-Secure? – magicandre1981 Jul 12 '18 at 13:51
  • IT wasn't entirely sure about the chance of success if they complain to F-Secure. The thing is, this PC is used as a "bridge" between an internet-coupled LAN and a production plant LAN. The only thing it really does is execute VNC -- for about ten users. Most of them stay logged on when closing their session, so typically you could see several F-Secure clients running in parallel, but only one service. Maybe the service couldn't cope with that. As no user has physical access, IT decided to remove F-Secure and use Windows Defender. Thanks again for the help! :) – chr0n0ss Jul 16 '18 at 05:32
  • By the way, to answer your question: no, we haven't seen this kind of issue on any other device. But most devices still use Windows 7. This is the first Windows 10 device I personally saw. IT didn't seem to know the issue either. – chr0n0ss Jul 20 '18 at 09:41
  • ok, seams to be an issue with the special purpose of the device. I marked the topic as duplicate and added your case in the topic so that other users see the solution easier. – magicandre1981 Jul 21 '18 at 17:27

0 Answers0