tl;dr: Download all 5 files from FindZombieHandles, run it, and see which process is creating all those zombies.
You were correct to notice this issue.1
There's a few common causes:
- A handle leak, especially of GDI objects
- A handle leak, resulting in zombie processes
- Driver locked memory, which can be due to a buggy driver or even normal operation (e.g. VMware ballooning will intentionally "eat" your RAM to try to balance it among VMs)
Getting more info
Now the first thing we can do is use the excellent RAMMap tool, which will identify the broad categories that the memory usage falls under. These do not necessarily tell you what it was, but do give you a suggestion of where to look next.
In your particular case, I refer back to the screenshot you provided. You want to look at the
Active column — the
Standby column includes caches that fall under "available" memory. Notice
Page Table is very high — I would expect it to be in the ballpark of under 512 MB, not well over 2 GB!
Narrowing it down
From here we can guess: it is probably due to zombie processes. A zombie process can occur in Windows when one process launches another, which holds a handle to the launched process. When the launched process exits, the launching process is expected to release those handles. When that fails to happen, they stay around as long as the launching process exists.
We can actually get further confirmation on the Processes tab of RAMMap. Notice in your case, sorting by process name, the thousands of
tasklist.exe and hundreds of
powershell.exe instances hanging around. In fact, anything there with Private memory usage of
0 K is a red flag of a process that has ended but is still zombieing around.
Now, you need to figure out which process is creating all these zombies. There's a few ways you can do this. You can use Task manager on the Details tab and add the Handles column. Any process holding a large number of zombies will also have an excessive number of handles open. You can also use Process Explorer to look at what handles a specific process has open.
However, by far the easiest way is to use FindZombieHandles2 (you need to download all 5 files into the same directory). If you run this tool (as admin) it should tell you which process is creating and holding all these zombies. From there, you can kill the process, uninstall the application or report it to the developer.
1 As I have explained elsewhere, the Task Manager's Processes tab displays memory usage excluding disk caches so the common (Linux) explanation of "free RAM is wasteful" usually does not apply. As far as the Task Manager is concerned, the disk cache is part of available memory. No mention is made of "free" memory.
2 A huge thanks to Bruce Dawson for this tool.