[SOLVED] Why is my Windows using 85% of RAM (40 GB)?

[whitesimian]

I only have a browser opened and a few app like Steam and Battle.net (browser is using 922MB RAM).

The task manager says it's using 40GB of RAM! I have 48GB of RAM total.
It had 16GB RAM before, it was working fine, and now that I upgraded it, it's using 85%.


-------------------------------------------------------------------------------------------------------------------------------
EDIT:

Solution:
NordVPN has a new feature called "Threat Protection".
When I turn it on, it creates a driver file C:\Windows\System32\drivers\mshield.sys
This driver is causing memory leak, especially if I launch a separate antivirus (in my case, Avira Antivirus).
I contacted the NordVPN Support via email and they said it's a known issue and hopefully will be fixed soon.

 

[Colif]

AFAIK drivers only run in non paged pool
your non paged pool isn't even in same ballpark as paged ram
673mb

it was first place I looked.

but clearly I am looking in the wrong place. Or don't know full story

it seems some parts of drivers can run on paged memory.

so if its a driver...

we best using poolmon -
its a Microsoft tool that looks at the paged and non paged pool
video has a link to where to download it and the command he shows in description is how to find the driver that the tag is associated with. The video explains it more. Problem with poolmon is finding a video that explains how to use it that isn't an hour long. Or too short, this is just under 4 minutes:

list of common tags - https://github.com/jjzhang166/windbgtool/blob/master/Dependecies/x64/triage/pooltag.txt

you only want to look at paged pool, and the tags with the biggest difference between Allocs and Frees. A lot of the tags you will find will be windows ones, as some parts of windows manage ram, so naturally they have a lot.

If you want me to look at it, go for it

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/poolmon-run-time-commands

 

[whitesimian]

@Mandark At that moment postman was doing nothing. I used the same NordVPN app on my old computer (16GB RAM) and this problem did not occur.
Also, I was having this RAM usage issue when none of these apps were running a few hours after a fresh restart, except for NordVPN.

 

[Colif]

@whitesimian i edited my last post.

 

[Colif]

Paged pool is amount of kernel and device driver memory that CAN spill over from physical memory into the slow page file (source). Nonpaged pool is the amount of kernel and device driver memory that must stay in physical memory.

quick-adviser.com

Diese Domain steht zum Verkauf!

quick-adviser.com

So since it can be paged, I wonder how long it would take before the driver leak ate all your Commits as well. Paged ram can be written onto page file, so it could take a while for it to chew through whatever yours can grow to.

https://techcommunity.microsoft.com...f-windows-paged-and-nonpaged-pool/ba-p/723789

 

[whitesimian]

we best using poolmon

I says FMfn and TSSM are using the most Bytes.
FMfn associated with fltMgr.sys and TSSM with mshield.sys, both system files.

Now at 32%. When it reach >80% I'll run poolmon again

https://ibb.co/z4kZXSp

 

[Colif]

fltmgr.sys - file system filter manager

The cause of error is not likely to be a windows process. Its going to be made by someone other than windows.
I have been wrong before.

not sure what mshield.sys is (possibly part of Nordvpn?)

okay, I don't know what drivers you have installed (since i assumed wrongly it wasn't a driver)

1. Can you download and run Driverview - http://www.nirsoft.net/utils/driverview.html
2. All it does is looks at drivers installed; it won't install any (this is intentional as 3rd party driver updaters often get it wrong)
3. When you run it, go into view tab and set it to hide all Microsoft drivers, will make list shorter.
4. Can you take a screenshot from (and including)Driver name to (and including)Creation date.
5. upload it to an image sharing website and show link here

What are specs of the PC?

Most of the time memory leaks are LAN drivers

 

[whitesimian]

not sure what mshield.sys is (possibly part of Nordvpn?)

Indeed, I saw that yesterday and disabled NordVPN from the startup. It seemed to have solved the memory leak.
It was very likely the mshield.sys the problem as you and @Mandark pointed out.
I'll run it today without the VPN and reinstall it later.

This is the image of Driverview right now, with the VPN disabled.

What are specs of the PC?

Processor

• AMD Ryzen 7 5800X

Motherboard

• X570-PLUS/BR TUF GAMING

RAM

• 2x Team Group T-Force Pichau Delta RGB 8GB DDR4 3200MHz
• 2x Husky Gaming, Avalanche, 16GB, 3200Mhz, DDR4, CL19

HDD

• HD 1TB 3.5" Sata III 6GB/s

SSD

• SSD KINGSTON KC3000 1TB, PCIe 4.0 NVMe M.2
• SSD 256GB SATA

GPU

• Gigabyte GeForce RTX 3080 Gaming OC

Thank you very much for your help!

 

[Colif]

I would check to see if there is a newer version of Nord if you intend to use it again. Though I see a February 2022 driver there so could need to reinstall it to get it to work right.

strange mshsield.sys doesn't show in driver list, as its not showing just active drivers but all.

 

[whitesimian]

I would check to see if there is a newer version of Nord if you intend to use it again

It's saying it's up to date

strange mshsield.sys doesn't show in driver list

When I quit the app the mshield.sys is deleted automatically, I tested this now

 

[Colif]

it might be recorded as a Microsoft driver

S3 mshield; C:WindowsSystem32DRIVERSmshield.sys [39504 2021-06-07] (nordvpn s.a. -> Nordvpn S.A.)

from the only other source I have found of file name. Which was only in January so its clearly not widespread yet.

we checked for viruses right?

i am not aware of drivers being deleted after use. That would be excessive. And mean it would need to recreate it every time you run program, or download it.. which also seems excessive.
Did you get this from Nord, its not from some peer to peer thing as I do see some indication its got something to do with a cracked version.

 

[whitesimian]

Did you get this from Nord, its not from some peer to peer thing as I do see some indication its got something to do with a cracked version.

I downloaded it from the official website and I have an active subscription.
I'll reinstall it just to be sure.

Also, I emailed them and they said "This issue that you are having is known, we are working on a fix for it, however, we would rather not give you an estimation when we do not actually have one for certain. ".

Disabling the Avira Antivirus decreased the memory leak somehow, but it's still happening.

 

[Colif]

at least Nord know its a problem. its not very widespread yet.

Disabling the Avira Antivirus decreased the memory leak somehow, but it's still happening.

i thought we fixed leak? or do you mean if you run Nord?

 

[whitesimian]

i thought we fixed leak? or do you mean if you run Nord?

The leak is fixed when I quit the Nord app. When I run Nord and disable Avira, the leak diminishes.

But lurking a bit more on the Nord app I see this mshield.sys is associated with a new feature called "Threat protection". When I turn it on, the driver file is created, when I turn it off it gets deleted.
If I turn Threat Protection off, there's no leak.

Also, I installed the app again from the link they provided via email.

we checked for viruses right?

Yes

 

[Colif]

NordVPN’s advanced Threat Protection feature is the next step in your digital security. It neutralizes cyber threats before they can do any real damage to your device. Threat Protection makes your browsing safer and smoother. It helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.

Threat Protection: for your daily security online

NordVPN’s Threat Protection is a cybersecurity feature with powerful anti-malware capabilities. Use it to block malware, trackers, ads, and malicious websites.

nordvpn.com

if you use malwarebytes or another AV already, it might be you don't need this on.

I use Ublock Origin to do a lot of that. works with all the browsers I use, chrome, Firefox, Edge. isn't a memory hog.

Sounds like its still in beta? or has teething issues.

its anti virus - https://au.pcmag.com/antivirus/9236...us-through-built-in-threat-protection-feature