cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MYSTERY MEMORY LEAK: WHERE DID MY MEMORY GO?!
By
TeedaN
Published Sep 16 2020 02:06 PM 67.1K Views
TeedaN
Microsoft
‎Sep 16 2020 02:06 PM

MYSTERY MEMORY LEAK: WHERE DID MY MEMORY GO?!

‎Sep 16 2020 02:06 PM

Hello,

My name is Jeffrey Worline, and I am a Senior Support Escalation Engineer on the Windows Performance Team at Microsoft. This blog addresses how to troubleshoot unaccounted memory usage or leak to include identifying and data collection.

 

If you already determined the process consuming memory, check out my previous blog post: Memory Leaks in a Process

 

Scenario

  • When you cannot reconcile the amount of RAM being used with task manager, resource monitor, or perfmon collection.
  • Large chunk of RAM being used but you cannot see where or by what.

Troubleshooting

Scenario A

When large amount of RAM is being used by not accounted for in task manager or resource manager. How do we find or account where that mystery memory is being used? RAMMap from Sysinternals is the tool needed for the job.

  1. First, when looking in task manager and at the memory usage by processes to view memory usage, ensure you also look in the Memory box on the performance tab – the amount of cached, paged pool, and non-paged pool memory usage.

 

TeedaN_0-1600280617707.png

 

  1. Download RAMMap
  2. Launch RAMMap to have it take a snapshot of memory usage.

 

Glossary and Guide to the column and row headings

Stages of memory

  • Active: Pages of physical RAM in active use by the specified category (usually a process working set or the system working set).
  • Standby: Pages of physical RAM not actively being used. These are still left in physical RAM but will be repurposed first by the memory manager (either returned to the active list or zeroed out and reused) if something needs physical ram for active pages.
  • Modified: Similar to Standby, but these are pages of physical RAM that have been changed and must be flushed to disk before reusing them.
  • Modified no write: Similar to modified pages but have been marked not to write out to disk.
  • Transition: Pages that are in transition between any of the other categories
  • Zeroed: Pages that have been zeroed out and are ready to be used – they can be quickly allocated for new physical memory allocations
  • Free: Free pages are free to be used but have some type of “dirty” data in them so they must be zeroed for security reasons before given to a user process.  These are usually pages that have been freed by an existing process.
  • Bad: These are physical pages that have been marked as bad.

Areas of interest would be the following rows to check for high memory consumption to account where the rest of your memory is being used.

 

TIP:

If you have a memory leak and get to the point of almost running out of memory, the normal procedure is to reboot the machine in order to clear out the memory. You can use RAMMap to clear areas of memory negating the need to reboot the machine.

 

TeedaN_1-1600280617712.jpeg

 

      

 

Types of memory usage

  • Process Private: Memory allocated for use only by a single process.
  • Mapped file: Mapped “views” of files are when the contents of that file are mapped to virtual addresses in memory.
  • Shareable: Pages that have been marked as shared can be used by multiple processes.
  • Paged Pool: Kernel pooled memory that can be paged to disk.
  • Nonpaged Pool: Kernel pooled memory that cannot be paged to disk.
  • Session Private: Memory that is private to a particular logged in session. This will be higher on RDS Session Host server.
  • Metafile: Metafile is a part of the system cache containing NTFS metadata and used to increase the performance of the file system.
  • AWE: You will typically see this used by SQL or other database applications.
  • Driver Locked: These are pages that have been locked in physical RAM by a driver. Usually see this usage with Hyper-V or VMware virtual machines.
  • Large Page: Normal page size for Windows memory is 4kb on x64 systems. But with large pages, the size is 2mb. SQL Server and Oracle support the concept of Large Pages when allocating memory.

 

In this snapshot, you can see that about half of the physical RAM being used is by Mapped Files:
 

TeedaN_2-1600280617722.png

 

  1. In this example, next we would click on the Physical Pages tab
  2. Now at the bottom of the tool select "Use" for the Filter and "is" select "Mapped File" from the drop down.

TeedaN_3-1600280617722.png

 

 

This will now show you all the mapped file entries.

  1. Next, I would click on the File Name column heading to group similar file names so at this point I could look to see if all the mapping were going to the same path or general path to help determine what is causing all the mapped files.

 

TeedaN_4-1600280617728.png

 

This information is not something you will see any place else other than an RAMMap or memory dump.

 



Scenario B
On a VMWare or Hyper-V system, the hypervisor can take memory away from one VM and give it to another VM. It does this by using a driver loaded in the VM to "lock" the memory at the kernel level which can then be given to another VM. If too much memory is taken away, this will cause working set trimming and general performance issues. Standard perfmon memory counters will not provide the info to account for the missing memory. This driver locked or "ballooned" memory can be seen 4 different ways depending on the OS.

VMWare console - Memory and processor utilization for each VM will be clearly seen in the VMWare console. If you have access to the console, then this is the preferred method to see the state of memory in the VM.

TeedaN_5-1600280617740.png

 

 

VMware performance counters - When VMWare tools are installed, VMware performance counters are also created. These can be manually loaded in Performance Monitor or use the logman.exe method below to set up perfmon collection.

 

Example of Logman to collect VMWare processor and memory counter:

The following will configure the counters, set logging to circular with max file size of 300 mb, and take a counter reading every 3 seconds.

  • The resultant log will be place in c:\perflogs.

 

<<Start Search>>, enter "CMD.exe" w/o the quotation marks and then press Enter.

  • Copy and paste the following command into the command prompt window:
Logman.exe create counter PerfLog-Short -o "c:\perflogs\PerfLog-Short.blg" -f bincirc -v mmddhhmm -max 300 -c "\LogicalDisk(*)\*" "\Memory\*" "\Cache\*" "\Network Interface(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" "\VM Processor\*" "\VM Memory\*" -si 00:00:03

 

  • Start the log with:
Logman.exe start PerfLog-Short

 

  • To stop perfmon log:
Logman.exe stop PerfLog-Short

Example output from Perfmon:

TeedaN_6-1600280617742.png

 

Example Sysinternals RAMMap:

TeedaN_7-1600280617751.png

 

 

- Jeffrey Worline

11 Comments
szpinter
Copper Contributor
‎Sep 16 2020 10:50 PM
‎Sep 16 2020 10:50 PM

Being mostly on-prem really like these "oldschool" articles. :)

Reza_Ameri-Archived
Bronze Contributor
‎Sep 17 2020 06:41 AM
‎Sep 17 2020 06:41 AM

Thank you for sharing this, while this scenario is more applicable for Windows Server (since they might need more RAM) but it might happens to Windows 10 too. I am asking Windows Server team to collect and analyze log files to fix this problem. Server administrators might be too busy to solve this problem and it would be nice to have a fix through an update.

0 Likes
Like
Fumetsu
Copper Contributor
‎Aug 05 2021 10:53 PM
‎Aug 05 2021 10:53 PM

i have 32Gb of ram and my usage is at 22Gb.
i had so many issues running 16Gb and couldn't find what program was causing it so i doubled up.
Even if i max out my system at 256GB im going to continue having this issue with W10.

i did clear a couple sets and it dropped to 17Gb used.

0 Likes
Like
amengpp
Copper Contributor
‎Mar 23 2022 07:29 PM
‎Mar 23 2022 07:29 PM

I'm meeting the similar problem. In Rammap snapshot, the unused memory is too large with active status. Can you help me to know how to fix the problem?

amengpp_0-1648088939393.png

 

0 Likes
Like
amengpp
Copper Contributor
‎Mar 28 2022 07:46 PM
‎Mar 28 2022 07:46 PM

There are thousands of unclosed processes, like cmd.exe, tasklist.exe, and others.

amengpp_0-1648521284812.png

I think the memory leak is caused by un-released process. But I don't know why so many process instanse and how to close them.

 

0 Likes
Like
MS_PerfGuy
Microsoft
‎Mar 30 2022 05:14 PM
‎Mar 30 2022 05:14 PM

Yes you could have zombied processes and also because I see your page table is at about the same amount of memory usage and if you were to go to task manager and on the details tab I would be surprised if you saw any cmd or maybe a few but not the number of them that you are seeing in rammap. As such, the only way you are going to clear them is with a reboot or you could try in rammap under the Empty item at the dump and select empty working might work but guessing likely not in this scenario. Figuring out why or who the cause not very straight forward. 

First you could maybe look towards is this something in the first place that is generating cmd.exe to constantly be spun up that should be or isn't normal behavior. 

Could try running a procmon log and catch call for creation of cmd. Explorer.exe would be process actually creating the cmd process but you would look for how called for it before explorer created it. I would use a filter in procmon on Path contains cmd.exe. 

If cmd is being created constantly then could also usg msconfig from start-run and on services tab disable 3rd party services and reboot and check if still getting created and if not the can go thru process of elimination to determine which service it is. 

 

Hope that helps

 

0 Likes
Like
_mismi_
Copper Contributor
‎May 20 2022 02:20 PM
‎May 20 2022 02:20 PM

@amengpp Those are zombie processes. Something in windows has an outstanding handle or reference to the process object. The quick and easy thing to check in my opinion is to get Process Explorer from Sysinternals. Load it up, search for cmd.exe and see if you can find a process that has outstanding handles to processes that dont exist anymore. You'll know it when you see it. Another give away is processes with high handle counts. The handle types will be processes. If its a driver (like AV) that is holding a reference to the process object, its much trickier to sort out. Easiest way is to uninstall the AV and then monitor with Rammap to see if they start accumulating again. Note that zombie processes are normal. You'll always have some. When they start getting up in to the thousands is when it becomes a problem. They can cause high memory and high cpu. 

 

Hope this helps,

Michael. 

Walter2260
Copper Contributor
‎Aug 23 2023 12:28 AM
‎Aug 23 2023 12:28 AM

Thank you for sharing the article. I found this after searching how to find the cause of a memory leak. I followed all the steps in Scenario A but did not find why a large portion of (cached) memory is used.

For some reason all the available memory is used by mapped files without a filename. This list of mapped files without file name grows every time after a restart until all available memory is used. So how to find out what caused this?

 

UserCounts.pngFileSummary.pngMappedFiles.png

0 Likes
Like
MS_PerfGuy
Microsoft
‎Aug 24 2023 01:32 PM
‎Aug 24 2023 01:32 PM

@Walter2260 

From your screenshot for mapped files active memory is only around 444 mb and the rest is in standby. In standby it will be repurposed by the memory manager (either returned to the active list or zeroed out and reused) if something needs physical ram for active pages. Your total active memory is around 1.8 gb so out of total ram of 16 gb you should have around 4 gb still available. Not sure mapped files is you problem at this stage. Can you take another rammap and screenshot of the default main Use Counts tab when available memory shows in task manager down to 1 or 2 gb. 

0 Likes
Like
Walter2260
Copper Contributor
‎Aug 30 2023 12:09 AM
‎Aug 30 2023 12:09 AM

@MS_PerfGuy 

Thank you for the replay. Hereby a new screenshot, this is taken a few days after a restart. On this moment I don't now if there was a memory leak. The program that crashed was reporting out of memory errors to the log. But it not happend again.

I am still wondering why the Mapped File category is using large amount of memory. To my knowledge mapped file memory contains programs and data (files) that is read from the disk. But the 'machine' (VM) is not active used by a user. It's running a few programs that read/write data from the network (OPC) that is processed and store in a DB on a other machine. So it (should) not read/write anything from/to the disk. (except for a few log file that are max 1mb large.) The file summery show that no large data is in memory, so why is mapped files using almost 5GB of memory?

 

UserCounts_2023-08-30.png

 

0 Likes
Like
MS_PerfGuy
Microsoft
‎Sep 06 2023 11:20 AM
‎Sep 06 2023 11:20 AM

@Walter2260

 

As noted before if on the physical tab page if it is only giving offsets and know file paths no way to know why those entries are there and only a memory dump of the system might shed light to what all the mappings are for. As far as an app crashing with an out of memory error a lot of times doesn't really mean it was a physical out or memory problem. It is one of those over-used error messages like some others I know that don't always accurately represent the cause of an issue. 

0 Likes
Like
Version history
Last update:
‎Sep 16 2020 02:06 PM
Updated by: