Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Kernel non paged memory leak

87 views
Skip to first unread message

Anubhav

unread,
Jun 6, 2007, 11:13:00 PM6/6/07
to
We are having about 1.3 MB of kernel non paged memory leak every day on a
2003 SP1 server. Analyzing the poolmon data shows that there is a rapid
increase in the File tag memory.

I want to know what does this mean? Does it mean that the file driver is
allocating some memory that is leaking or does it mean that FILE handles are
leaking?

Please advice on how to proceed on this issue from here. My plan is to use
gflags to enable "Create kernel mode stack trace database" and then analyze
the !htrace information taken periodically.

Is there a way to find out which process has allocated how many handles in a
given time interval so that we can parallely also narrow down on the user
mode components that might be responsible for the file memory leak.

Ivan Brugiolo [MSFT]

unread,
Jun 8, 2007, 2:55:15 PM6/8/07
to
Search for the tag `File` in non paged pool
1: kd> !poolfind File 0

Scanning large pool allocation table for Tag: File (85415000 : 85495000)

Searching NonPaged pool (80000000 : ffc00000) for Tag: File

8426a280 size: a8 previous size: 40 (Allocated) File (Protected)
8429f618 size: a8 previous size: 10 (Allocated) File (Protected)
8429f758 size: a8 previous size: 40 (Allocated) File (Protected) <<<<<

Pick one pool allocation, and do the standard offseting

1: kd> dt nt!FILE_OBJECT 8429f758+28
+0x000 Type : 5
+0x002 Size : 128
+0x004 DeviceObject : 0x849a6030 _DEVICE_OBJECT
+0x008 Vpb : 0x849a6598 _VPB
+0x00c FsContext : 0x888bed80
+0x010 FsContext2 : 0x888beed8
+0x014 SectionObjectPointer : 0x849c9ea4 _SECTION_OBJECT_POINTERS
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x144042
+0x030 FileName : _UNICODE_STRING
"\ProgramData\Microsoft\MF\Active.GRL"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x2de4
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
+0x070 IrpListLock : 0
+0x074 IrpList : _LIST_ENTRY [ 0x8429f7f4 - 0x8429f7f4 ]
+0x07c FileObjectExtension : (null)

pick the device-object for the file

1: kd> !devobj 0x849a6030
Device object (849a6030) is for:
HarddiskVolume2 \Driver\volmgr DriverObject 84814190
Current Irp 00000000 RefCount 1978 Type 00000007 Flags 00001150
Vpb 849a6598 Dacl 86fc12c4 DevExt 849a60e8 DevObjExt 849a61e0 Dope 849a6530
DevNode 849a3cc8
ExtensionFlags (0x00000800)
Unknown flags 0x00000800
AttachedDevice (Upper) 849aa020 \Driver\volsnap
Device queue is not busy.
1: kd>

my take is that there is Winsock Handle Leak (the device should be AFD.sys)

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Anubhav" <Anu...@discussions.microsoft.com> wrote in message
news:D256749C-3A5A-4D49...@microsoft.com...

0 new messages