Question How do I diagnose and solve a Memory Leak?

[CrimsonKnight98]

I'm struggling to find out what is eating up my memory on my Windows 10 PC.
The longer I leave my PC on, the more RAM gets taken, but task manager will not show what is taking up all the memory.

I have done some tests with RamMap, all I found is page table will increase slowly.
Ran a sfc /scannow
Repaired the system image
Made sure my system is up to date

I also used FindZombieHandles and I'll link it's current findings below
I tried using PoolMon but I had trouble installing windows SDK and WDK and I have NO idea what I'm doing or how to use these programs... that was so complicated

RAM:
G.SKILL Flare X5 32GB (2 x 16GB) 288-Pin PC RAM DDR5 6000 (PC5 48000) Desktop Memory Model F5-6000J3038F16GX2-FX5

• Capacity: 32GB (2 x 16GB)
• Type: 288-Pin DDR5 SDRAM
• Speed: DDR5 6000 (PC5 48000)
• CAS Latency: 30

Windows:
Edition: Windows 10 HomeVersion 22H2
Installed on: 4/‎30/‎2023
OS build: 19045.4046
Experience: Windows Feature Experience Pack 1000.19053.1000.0

Here's a screenshot of Task Manager and RamMap:

https://imgur.com/a/bdeRVik

View: https://imgur.com/a/bdeRVik

Here's the findings of FindZombieHandles:

https://imgur.com/a/Ih0jICq

View: https://imgur.com/a/Ih0jICq


Please let me know what else I can send or do to help diagnose this.
I'm computer literate, but I am very unfamiliar with a lot of this stuff...
Active vs Standby Memory, Page Table, Paged Pool, Non Paged Pool, Zombie Processes, etc. are all lost on me.

 

[Lutfij]

2 ways;
1| Perform a system restore to a point prior to an update if a recent update caused the issue.
2| Recreate your bootable USB isntaller and reinstall your OS

It'd help if your motherboard was on the latest BIOS version as well, prior to reinstalling the OS.

 

[CrimsonKnight98]

2 ways;
1| Perform a system restore to a point prior to an update if a recent update caused the issue.
2| Recreate your bootable USB isntaller and reinstall your OS

It'd help if your motherboard was on the latest BIOS version as well, prior to reinstalling the OS.

The goal here is to not have to reinstall everything on my computer and find the issue which is causing this so I don't have to reset everything every time I run into an issue. I like to learn about these things.

Not to mention, me potentially reinstalling the driver or the program which is causing this.

 

[CrimsonKnight98]

Does anyone know why these zombie processes keep increasing?

 

[Colif]

2 ways;
1| Perform a system restore to a point prior to an update if a recent update caused the issue.
2| Recreate your bootable USB isntaller and reinstall your OS

Simple advice to give when you not one who has to rebuild after. Not the first choice though.

Does anyone know why these zombie processes keep increasing?

You probably need to run poolmon, it shows what is using memory on the system

video shows how to run it,

the top line of description of the video above, has the command you use to identify the tag, I can't copy it here as forums will play with its formatting

You need to download the windows Driver toolkit -as it includes poolmon
https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk


You want to find the tag that is using the biggest difference between Allocs & Frees as these are the processes keeping memory and not giving it back. Leaks are caused by software requesting memory and not giving it back when its finished.

Many of the processes are actually parts of windows as you can see the processes that manage memory here, so some will always have a lot. This is normal. You want to look at non Microsoft tags, as its likely to be a driver.

this is a list of the most common tags - https://github.com/zodiacon/PoolMonXv2/blob/master/PoolMonX/res/pooltag.txt

I would run program just after boot, to get a baseline for usage and something to compare to when page file is massive. And then run it when memory is a problem and compare to the original results.

screenshots can help. uploading to an image sharing website and show links here for any you want help with.

 

[CrimsonKnight98]

Here's the link to it now

Simple advice to give when you not one who has to rebuild after. Not the first choice though.


You probably need to run poolmon, it shows what is using memory on the system

video shows how to run it,

the top line of description of the video above, has the command you use to identify the tag, I can't copy it here as forums will play with its formatting

You need to download the windows Driver toolkit -as it includes poolmon
https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk


You want to find the tag that is using the biggest difference between Allocs & Frees as these are the processes keeping memory and not giving it back. Leaks are caused by software requesting memory and not giving it back when its finished.

Many of the processes are actually parts of windows as you can see the processes that manage memory here, so some will always have a lot. This is normal. You want to look at non Microsoft tags, as its likely to be a driver.

this is a list of the most common tags - https://github.com/zodiacon/PoolMonXv2/blob/master/PoolMonX/res/pooltag.txt

I would run program just after boot, to get a baseline for usage and something to compare to when page file is massive. And then run it when memory is a problem and compare to the original results.

screenshots can help. uploading to an image sharing website and show links here for any you want help with.

Okay so I got poolmon working. I took two screenshots from a fresh restart, then 7 hours later. You'll notice Proc is at the top of the list with almost 4x as much memory usage as the next process.

https://imgur.com/a/kOPRuMm

View: https://imgur.com/a/kOPRuMm


I went though the process going to

cd C:\Windows\System32\drivers

on command prompt and running

findstr /s /i /m "Proc" *.*

Which showed a hundred drivers

I then ran

xperf -on PROC_THREAD+LOADER+POOL -stackwalk PoolAlloc+PoolFree+PoolAllocSession+PoolFreeSession -BufferSize 2048 -MaxFile 1024 -FileMode Circular && timeout -1 && xperf -d C:\pool.etl

And took a ~1 minute sample

And opened the file in Windows Performance Analyzer, added a Stack, and Process column, but I don't really know how to interpret what I'm seeing.

I'm basing a lot of what I'm doing here on this post from superuser.com. I'm not understanding how to "find other 3rd party drivers which you can see in the stack." I'm analyzing what I see, but they are all windows drivers I think? I'm not sure what to look for.

 

[geofelt]

At one time, discord had a memory leak.
Run without discord as a test.

 

[CrimsonKnight98]

Okay I think I may have discovered the cause of the memory leak. It was a program called rainmeter that seemed to be causing many instances of svchost.exe to open and not close.
I uninstalled it and I don't see the RAM usage going up over the course of 6 hours.

I'm going to leave my PC idle overnight with a few basic programs running (which I'd normally have open) and see if there are any other RAM increases.

I can't say for sure how long this leak has been going on, but I noticed an issue I used to face where my PC would be sluggish if I left it idle is gone (DUH). So there's that! Hopefully this fixes it, I'll detail everything I did to solve this once I confirm it's fixed!

 

[Colif]

Looking at things where difference = over 100k
Proc - Process Objects (sounds like windows to me) - different people find different drivers to blame when Proc is using lots of memory.
Cont = Contiguous physical memory allocations for device drivers (sounds like a windows process)
MIP2 = Unknown
FILE = Filinfo (Windows)
EVEN - Event objects (windows)
PSin - Windows process
SeT1 - Security Targetinfo (windows)
ETwS - ETW Stack Cache (windows)

I think you can sort it by Differences but if you think you worked it out, its not necessary.

Rainmeter did have a memory leak 4 years ago:
https://forum.rainmeter.net/viewtopic.php?t=35673
No mention of a fix to one recently, which version were you on?

Version History - Rainmeter Docs

docs.rainmeter.net

It was a program called rainmeter that seemed to be causing many instances of svchost.exe to open and not close.

Memory leaks caused when a process keeps asking for resources and never releases them once finished. So that sounds like you caught it in the act.

ram usage not growing right? just page file?

What are full specs of PC?