My name is Jeffrey Worline, and I am a Senior Support Escalation Engineer on the Windows Performance Team at Microsoft. This blog addresses how to troubleshoot unaccounted memory usage or leak to include identifying and data collection.
If you already determined the process consuming memory, check out my previous blog post: Memory Leaks in a Process
When large amount of RAM is being used by not accounted for in task manager or resource manager. How do we find or account where that mystery memory is being used? RAMMap from Sysinternals is the tool needed for the job.
Areas of interest would be the following rows to check for high memory consumption to account where the rest of your memory is being used.
If you have a memory leak and get to the point of almost running out of memory, the normal procedure is to reboot the machine in order to clear out the memory. You can use RAMMap to clear areas of memory negating the need to reboot the machine.
In this snapshot, you can see that about half of the physical RAM being used is by Mapped Files:
This will now show you all the mapped file entries.
This information is not something you will see any place else other than an RAMMap or memory dump.
On a VMWare or Hyper-V system, the hypervisor can take memory away from one VM and give it to another VM. It does this by using a driver loaded in the VM to "lock" the memory at the kernel level which can then be given to another VM. If too much memory is taken away, this will cause working set trimming and general performance issues. Standard perfmon memory counters will not provide the info to account for the missing memory. This driver locked or "ballooned" memory can be seen 4 different ways depending on the OS.
VMWare console - Memory and processor utilization for each VM will be clearly seen in the VMWare console. If you have access to the console, then this is the preferred method to see the state of memory in the VM.
VMware performance counters - When VMWare tools are installed, VMware performance counters are also created. These can be manually loaded in Performance Monitor or use the logman.exe method below to set up perfmon collection.
The following will configure the counters, set logging to circular with max file size of 300 mb, and take a counter reading every 3 seconds.
<<Start Search>>, enter "CMD.exe" w/o the quotation marks and then press Enter.
Logman.exe create counter PerfLog-Short -o "c:\perflogs\PerfLog-Short.blg" -f bincirc -v mmddhhmm -max 300 -c "\LogicalDisk(*)\*" "\Memory\*" "\Cache\*" "\Network Interface(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" "\VM Processor\*" "\VM Memory\*" -si 00:00:03
Logman.exe start PerfLog-Short
Logman.exe stop PerfLog-Short
Example output from Perfmon:
Example Sysinternals RAMMap:
- Jeffrey Worline
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.