0

I am having some issues with my memory usage since a few days (maybe since the last Windows update I did if I remember correctly) where my memory slowly fill up to the 16 GB capacity over the course of the day.

It starts normally using around 1.5GB / 16GB and then increases by like 1GB per hour to get some abnormal stuff like 14GB used after a day, at which point I have to reboot to "clear" the memory.

I already tried a few things to try to find the issue but I can't seem to be able to find what causes this, here is more information:

Poolmoon which seems to show that the "Tag" responsible for the memory usage increase is Toke and Proc (MmSt and CM31 staying around 2GB all day):

enter image description here

RamMap memory usage:

enter image description here

Task manager Processes tab:

enter image description here

Task manager Memory tab:

enter image description here

  • Please try to stop or disable the service wuauserv and see if this helps. (win+r -> services.msc -> Windows Update) – A1985 Sep 11 '15 at 12:31
  • Short explanation to my previous comment: Sometimes Windows Update floods your RAM. I recently have seen this on a Win7 Machine of my company. wuauserv by default is starting with a delay, what would explain why your PC works normally in the beginning. As soon as you stop that service (you can do this also from the task manager) your RAM should be released. For Win7 there has been a Hotfix, not sure about Win8/10. – A1985 Sep 11 '15 at 12:35
  • Thanks for the answers but wuauserv (Windows Update service) was already stopped and his startup type was "Manual" – Bodeo Sep 11 '15 at 12:38
  • Have you updated any drivers lately? – Spokey Sep 11 '15 at 12:44
  • Most of the displays you posted do not indicate a problem. I see 5.5 GB in use, 326 MB in nonpaged pool. (Paged pool is not a permanent usage; it doesn't count.) Did you take these well before you reached all 16 GB "in use"? Does the "Diff" of "Proc" objects (processes) increase incessantly? If so, that's a problem - something is creating processes, the processes are exiting, but (most likely) the creator never closes the handle so the process object is never freed. Let's see Task Manager for all processes and sort by the Handles column. Process Explorer can of course show this too. – Jamie Hanrahan Sep 11 '15 at 12:58
1

The memory usage doesn't come from a too large pool usage (althoug 800 is still a bit to high). It comes from 1.6GB of Page Table and a bit to high NTFS metadata.

This is hard to debug. I tried it last year, but it never shows good result. You have to stop some tools until you find the one that causes it.

The Proc tag is used by RzSurround (sound driver?) and the CM31 to load registry hives.

  • Hm. The Proc tag is supposed to be for Process objects - see pooltag.txt. If this "RzSurround" driver is using it, they're breaking the rules. – Jamie Hanrahan Sep 11 '15 at 18:17
0

The "Toke" tag is the Intel Wi-fi driver, ensure you have the latest driver from the vendor.

To find the culprit driver that is leaking non paged pool memory, open cmd.exe and navigate to c:\windows\system32\drivers and run:

findstr /m /l /s Proc *.sys

Which will probably output too many results as proc is a common driver pe phrase,

You could try a WPT trace as seen in: Windows 8 out of memory over time: Toke Paged consuming over 5GB

  • On my desktop I have plenty of "Toke" objects and no Intel Wi-Fi driver. - no WiFi of any sort, in fact. pooltags.txt shows that "Toke" is an access token - the thing associated with processes (and sometimes threads) that defines your security ID, your group IDs, etc. When you create a process it normally inherits a copy of your own access token. The fact that the Proc and Toke counters are very close to the same is consistent. Of course, since tokens are in paged pool, they do not permanently occupy RAM (unless one has foolishly removed the pagefile). But process objects do. – Jamie Hanrahan Sep 11 '15 at 13:00
  • Thanks for the suggestion, I'm copying the answer I gave in another comment : The findstr command is indeed giving me too many .sys files (~50-100) and I'm not sure on how to interpret the results given to me by WPT : i.imgur.com/mGsk3ls.png since the "Size" column is only showing 224MB used for the Proc tag with the only thing listed being cmd.exe, RzSurround and some kernel specific dlls – Bodeo Sep 11 '15 at 14:40
  • @Bodeo - Output the list to a file. Go through the list and exclude any Microsoft files. Once you do that go through the list and prevent Windows from loading the file at startup ( Autoruns ) until the behavior stops. It is extremely unlikely given the amount of people using Windows, the bug, would exist in a Microsoft driver. – Ramhound Sep 11 '15 at 16:11
0

Actually fixed the issue by simply uninstalling the Razer surround process (Sound driver) after seeing RzSurroundVADStreaming.dll in the WPT Graph.

Memory is stable after a 20 hours uptime around 2GB used.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.