The following command starts PoolMon and displays only allocations from the nonpaged pool: poolmon /p To sort by bytes per allocation, press m. For example, to sort the display by number of bytes used, press b. While poolmon is running, you can use the run-time commands to change the display. The following command starts PoolMon and sorts the display by number of free operations: poolmon /f The following command starts PoolMon: poolmon You can modify the sort order of the display at the command line or while PoolMon is running. By default, PoolMon displays all kernel memory allocations in alphanumeric order by tag value.
This example describes various ways to configure the PoolMon display. This guide is applicable both for Windows Server 2019/2016/2012R and desktop Windows 10/8.1.This topic includes the following examples of PoolMon use:Įxample 1: Display and Sort PoolMon OutputĮxample 5: Monitor a Terminal Server Session Example 1: Display and Sort PoolMon Output Open the Task Manager, go to the Details tab, add the NP Pool column and look for processes with a large memory size in the non-paged pool. If your search does not return any results, check if the memory leak was caused by a user-mode process. On Windows Server you can disable the Hyper-V role with the PowerShell command:ĭisable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All If you don’t need this role, we recommend to disable it. In some cases, the installed Hyper-V role is causing a memory leak to the non-paged pool.
If the problem is solved, disable automatic driver update. Try to roll back to the previous driver version and see if the problem persists.
If the automatic driver update is enabled in Windows, check to see if problems started after installing new drivers.
Try to download and install the latest driver versions for your network adapters from the vendor’s website.
Install the Latest Versions of Network Adapter Drivers After getting the driver tag, find the driver file using findstr or strings.exe as described above.Check the contents of the pool with the command (results will be sorted by non-paged pool usage): !poolused 2.If the NonPagedPool Usage value is greater than NonPagedPool Max, it means that the non-paged pool is exhausted.Load a memory dump into the Windbg debugger.If a memory leak resulted in a BSOD, you can identify the problematic driver in a memory dump file. Now you can try to uninstall/update/reinstall the problem driver or service. The tool returns the name, description, and version of the driver or Windows component. Sigcheck C:\Windows\System32\drivers\rdyboost.sys To do it, you can use the sigcheck tool from Sysinternals. Now you have to identify what drivers and system components these files refer to by their names. So we have got the list of driver files that may cause the problem. Note that the driver name is now displayed in the Mapped_driver column. You should check drivers for found tags using the strings.exe tool (from Sysinternals), using the built-in findstr command, or using PowerShell. In our example, you can see that most of the RAM in the non-paged pool is used by drivers with tags Nr22, ConT, and smNp. Your task is to identify the driver file using this tag. Then press the B key to sort the driver list by the Bytes column. The second column will display the tags of the processes that use non-paged memory (the Nonp attribute). Then start the Poolmon.exe (in case of WDK for Windows 10, the tool is located in C:\Program Files (x86)\Windows Kits\10\Tools\ folder).Īfter you have started the tool, press P. Download and install the WDK for your Windows version from Microsoft. To do this, we need the Poolmoon.exe console tool included in the Windows Driver Kit (WDK). You can try to identify the driver that caused the memory leak in the non-paged pool. Using PoolMon to Find a Kernel-Mode Memory Leak Change the value of the Start parameter to 4.Īfter making changes, you need to restart your computer.Go to registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndu\.