how to interpret poolmon output, 'Proc' tag.

[Samuel Stanojevic]

Hi,

I'm running Windows XP Professional SP2, up-to-date with Windows Updates.

I've recently noticed that my non-paged kernel memory is leaking at a steady
pace of 10Mb+/day. If I don't reboot my machine every few days, it eventually
and inevitably grinds to a halt, forcing me to reboot it.

By searching on the web, I realized I needed to run poolmon.exe to debug the
leak, which I did. The output of poolmon clearly shows that the leaking tag
is 'Proc'. But what is 'Proc'? I have no idea.

Can someone please explain to me what the 'Proc' tag means, and how I can
use that information to track down the cause of the leak?

Thanks!
Sam

 

[Pegasus \(MVP\)]

Hi,

I'm running Windows XP Professional SP2, up-to-date with Windows Updates.

I've recently noticed that my non-paged kernel memory is leaking at a
steady
pace of 10Mb+/day. If I don't reboot my machine every few days, it
eventually
and inevitably grinds to a halt, forcing me to reboot it.

By searching on the web, I realized I needed to run poolmon.exe to debug
the
leak, which I did. The output of poolmon clearly shows that the leaking
tag
is 'Proc'. But what is 'Proc'? I have no idea.

Can someone please explain to me what the 'Proc' tag means, and how I can
use that information to track down the cause of the leak?

Thanks!
Sam

The Windows Task Manager might tell you.

 

[Samuel Stanojevic]

Hi Pegasus,

I assume you mean that I should be looking at the 'NP Pool' column of the
Task Manager and see if any process has a high value. I have tried that, but
the highest value I've found for any given process is 200 Kb, and the totals
for all processes do not top the 1 Mb. Meanwhile poolmon is showing that the
'Proc' tag is leaking in the tens of Megabytes.

Any other suggestions?

Regards,
Sam

 

[Pegasus \(MVP\)]

I would look for two things in the Task Manager:
a) If there was a process called "Proc";
b) Which process keeps increasing its "Memory Usage".

 

[levitation]

Hello Samuel.

Please ignore the previous answers, they do not know what they are
talking about.

The owners of pool tags are not visible in task manager.
Currently I'm investigating, how to find the driver/process that
causes the pool with "Proc" tag to increase.
Usually it is simple - every driver has its own set of pool tags, so
you just need to search the drivers folder for corresponding string.
But "Proc" tag belongs to windows itself. So it is obvious that the
culprit is some other software, who just requests windows to reserve
memory under "Proc" pool tag.

I have same problem as you. Did this problem of Yours start just
recently? Did You install any updated drivers recently?

Roland

 

[levitation]

One more thing. It might help you if you disable any scheduled or
otherwise reoccuring tasks.
The Proc tag leaks at least in my case always when a new process
starts (it does not restore itself after closing the process). For
usual daily activities with a few programs, its so small that you wont
notice. But when some process starts and stops repeatedly in a
scheduled manner, this leak accumulates faster.

 

[amarty]

One more thing. It might help you if you disable any scheduled or
otherwise reoccuring tasks.
The Proc tag leaks at least in my case always when a new process
starts (it does not restore itself after closing the process). For
usual daily activities with a few programs, its so small that you wont
notice. But when some process starts and stops repeatedly in a
scheduled manner, this leak accumulates faster.

I'm having the same problem, we run 4 processes through our
application task scheduler every 10 second and i see a kernel memory
leak caused by the Proc tag pool, forcing to reboot the server every 2
days.
Another weird thing is the process identifier PID in the task manager
for new processes, the number is around 250.000 and growing

 

[levitation]

three bits of information.
1a) You might get temporary remedy by increasing the nonpaged pool
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
\Memory Management
by changing the value of NonPagedPoolSize. But as far as I understand,
the minimum nonpaged pool size is actually 128MB. When you increase
this parameter, the maximum reserved area for nonpaged pool will
increase a bit too. How the numbers are related, I do not know. It is
possible to monitor the sizes of reserved nonpaged and paged pool
areas with Process Explorer, when debug symbols are installed, under
System Information menu item.
1b) In my case there is also leak under pagedpool, under pool tag
"Toke", which means "Token objects". So You may need to increase the
maximum of paged pool too, in case it gets depleted too. I wont
describe the registry changes here much longer unless You ask for it.
There are other issues that need to be taken account when changing
these parameters. For example "System Page Table Entries" may become
low, but it is possible to monitor it with performance.msc and if
neccessary it is possible to find new reasonable configuration.
2. What was recently changed in my computer, is the following: 1)
installed newest ATI video card driver, 2) installed RATT and
kernrate, 3) installed some usual MS hotfixes. But my previous last
reboot was a month ago, so there might have been more changes during
that month; changes that I am not aware of right now. Anyway, before
my previous last reboot this problem did not occur, its a very recent
development which has been manifesting since reboot on last weekend.
3) PID-s may seometimes be large. When they do, they start being
systematically large, not only few of them. I have seen it too. It
seems to occur seldom, but randomly, even when no other bad things are
manifesting. Still there may be some relation, because right now my
PID numbers are in 100'000-s too.

 

[levitation]

In case there are any MS or ATI or other company's driver developers.
Please note.
The size of the leak is for every new process 664 bytes. I tried it
repeatedly on different days with starting notepad.exe and cmd.exe
applications. So whoever is behind this leak, You may well easily
check out the following: which of your drivers monitors for new
processes and has some data structures of 664 bytes?

 

[Samuel Stanojevic]

Hi Roland,

I haven't been getting my notifications from this thread, so I hadn't
realized you had responded.

Your problem is definitely very very similar to mine.

I indeed also have a leak associated to the 'Toke' tag in the paged pool.
And I also see that the leak gets worse evertime i run a new process.

I can't say for sure when my problem started because unfortunately I was
forced to reformat/reinstall my compuer end-of-march because of hard drive
failure. My problems started happening right after I reinstalled everything.

I do also have an ATI card (Radeon 1650x series to be exact), and I probably
ended up installing a newer driver version as I result of the reinstall, but
I can't find any specific info that points towards that being the problem.

I have tried uninstalling my anti-virus recently based on some
recommendations I found on the web, but that was not it.

So I am still looking at this problem once in a while, hoping that I
magically stumble on the right solution. In the meantime, I monitor my memory
and reboot my computer regularly.

If there is any info I can provide that will help, let me know.

Sam

 

[MWimmer]

Hi there!

I've a similiar problem on XP 64 Bit (with Matrox 650)
Every start of a process increases
- Toke (paged) by 1136 Bytes
- Proc (nonpaged) by 1056 Bytes
- SeTd (paged) by 112 Bytes
- SeTd (nonpaged) by 128 Bytes.

Using the driver verifier (system32/verifier.exe) did not reveal any driver
consuming this memory, but when Windows is started in Safe Mode, the pool
memory depletion disappears.

!stacks in windbg reveals that there are still entries for every process
started and terminated in the past but I don't know how to find out who is
responsible for that. It seems, the system does not clean up the information
about terminated processes but why?

 

[John John (MVP)]

How do I determine a driver name from a pool tag?
http://windowsitpro.com/article/art...-determine-a-driver-name-from-a-pool-tag.html

http://search.yahoo.com/search?ei=U...ss&p=findstr+/m+/l+<pool+tag>+*.sys&x=22&y=11

John

 

[MWimmer]

for /f "delims=" %f in ('dir /a-d /s /b c:\*.sys') do findstr /m /l SeTd "%f"
returned nothing. The other tokens are used more often. So I think, it is a
system issue

 

[romgohan]

I probably have the same problem, memory leak while starting/stopping
new processes.
You can test it with running the following bat:

@echo off
echo hello > foo
for /L %%v in (1,1,32767) do echo %%v & attrib +r foo

You will see clearly visible memory leak in Task Manager, if it is the
same problem. Unfortunately I do not have a clue what the reason is.

 

[MWimmer]

Of course it behaves the same at my machine because attrib.exe is called to
often.
The Toke Proc and SeTd pool memory increase rapidly

@romgohan: What OS version do you have?

 

[romgohan]

Of course it behaves the same at my machine because attrib.exe is called to
often.
The Toke Proc and SeTd pool memory increase rapidly

@romgohan: What OS version do you have?

I have Windows XP SP2, and have that problem for few weeks now, I was
unable to identify exactly when it started (not so easy to notice at
start) so I do not know what I hove done then. Now I am considering
installing SP3, but I doubt it will help.
This kind of batch is the best test case I have found, it almost
immediately shows the memory leak problem, if it exists, and works
fine if you do not have it.

 

[romgohan]

Hi
Just to add to the knowledge, installing SP3 and newest ATI drivers
did not fix the problem.

 

[romgohan]

I have found on my system that the guilty one was an ATI driver. I
have removed it and installed older one 7.4
and the memory leak is gone.
(I have not tested other,newer driver versions)

 

[levitation]

Hi, could You please verify - did You install the driver version 7.4
and the problem was gone??
It is strange, because the 7.4 was the latest driver just up until the
day You posted Your message. Now the driver 7.5 is the latest one. You
also sayd that You have not tested the newer driver versions. I gather
from that that You have not tested driver version 7.5. Therefore You
had to remove driver 7.4 and probably install driver 7.3 to get rid of
the problem.
Your wording is confusing, because the sentece can be read as if You
installed the 7.4 "as the older one" and then got rid of problem. But
that interpretation conflicts with other facts in Your message.
The main reason I ask, is because right now I and perhaps all of us
are using driver version 7.4, it was the latest driver when the
problem started.
Please recheck, what is the driver version You are using now? Is it
7.3 then?

 

[romgohan]

Hi, could You please verify - did You install the driver version 7.4
and the problem was gone??
It is strange, because the 7.4 was the latest driver just up until the
day You posted Your message. Now the driver 7.5 is the latest one. You
also sayd that You have not tested the newer driver versions. I gather
from that that You have not tested driver version 7.5. Therefore You
had to remove driver 7.4 and probably install driver 7.3 to get rid of
the problem.
Your wording is confusing, because the sentece can be read as if You
installed the 7.4 "as the older one" and then got rid of problem. But
that interpretation conflicts with other facts in Your message.
The main reason I ask, is because right now I and perhaps all of us
are using driver version 7.4, it was the latest driver when the
problem started.
Please recheck, what is the driver version You are using now? Is it
7.3 then?

I think you mixed up the driver numbers, the new drivers are 8.5, and
I previously had 8.4. Older version I installed now 7.4 is over a year
old.