- THRE TAG IN POOLMON.EXE .EXE
- THRE TAG IN POOLMON.EXE INSTALL
- THRE TAG IN POOLMON.EXE DRIVERS
- THRE TAG IN POOLMON.EXE DRIVER
In the example, I got a version of Diskeeper without the offending driver, but a good place to start is the manufacturers website.
THRE TAG IN POOLMON.EXE DRIVER
You have to contact the manufacturer of the offending driver and check for an updated version. In this case, the offending driver is part of Diskeeper. To gather more intel about it, use Sysinternals sigcheck: Hopefully, you should now have the name of the offending driver. Make sure the Sysinternals suite is installed somewhere on the path, and enter the following commands: First you have to start an elevated command prompt.
THRE TAG IN POOLMON.EXE DRIVERS
Most kernel mode drivers are located in “%systemroot%\System32\drivers”.
2: Use Sysinternals strings together with findstr. To do that, I use one of two methods: 1: Do an internet search for the pool tag. we have identified the pool tag, now we have to look for the driver that owns it. The “Cont” tag relates to “Contiguous physical memory allocations for device drivers”, and is usually the largest tag on a normal system.Īnd this screenshot is from the server with the non-paged leak:Īs you can see, the LkaL tag is using more than 1GiB on its own, accounting for half of the pool. The same view as above, after pressing “P” and “B”: The important ones are “P”, to view either paged or non-paged pool tags, and “B”, to list the ones using the most of it at the top. S – Sorts tags by the differences of allocs and frees. T – Sort tags alphabetically by tag name.Į – Display Paged, Non-paged total across bottom. P – Sorts tag list by Paged, Non-Paged, or mixed. To investigate further, you have to fire up poolmon.exe.
Kernel leaks in the OS itself are very rare, unless you are running some sort of beta version of Windows. Kernel leaks are usually caused by a driver. Scott Hanselman has blogged about that here: Analysis Note: To show the pool limits, you have to enable symbols in Process Explorer. You should of course baseline this to make sure you actually have an issue, but generally speaking, every time I find a Kernel memory value above 1GiB I go hunting for the cause. Even though the pool limit is 128GIB and the server has a whopping 256GIB of RAM, the kernel memory pools are usually way below the 1GiB mark. In this sample, the non paged pool has grown to an unhealthy 2,2GB, and continues to grow. Screenshot from Process Explorer’s System Information dialog: Something is causing the kernel paged or non paged pools to rise uncontrollably. You can just copy the executable from the machine where you installed the WDK.
THRE TAG IN POOLMON.EXE INSTALL
You only have to do this once though, as there is no need to install the WDK on every system you analyze.
THRE TAG IN POOLMON.EXE .EXE
exe is not available as a separate download, you have to download and install the entire 500+MiB WDK somewhere to extract it. You also need Poolmon.exe, a small utility currently part of the Windows Driver Kit.
In this post I mostly use the amazing Sysinternals tools for troubleshooting. I have had several issues in the past year involving kernel memory leaks, so I decided to make a separate blog post about general kernel memory leak analysis.
0 kommentar(er)
