Have seen this across an environment Win7/8.1/Win10. It is not high
frequency but does happen. Machines are running 64-bit OS with at
least 4-8GB ram typically.
Now the WinDbg help file suggests:
One possible cause of this bug check is depletion of nonpaged pool
memory. If the nonpaged pool memory is completely depleted, this error
can stop the system. However, during the indexing process, if the
amount of available nonpaged pool memory is very low, another
kernel-mode driver requiring nonpaged pool memory can also trigger
this error.
From what I can see
- non paged pool depletion doesn’t seem to be a problem
- does look like it is occurring during indexing process
- mcafee component is using most non-paged pool memory, but it is
small amount (7MB)
Is there any further good diagnostic options for further narrowing
down if a 3rd party component is responsible before logging case with
Microsoft?
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd
parameters are the
exception record and context record. Do a .cxr on the 3rd
parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck
code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: 00000000baad0073
Arg2: ffffd001ca1ab0f8
Arg3: ffffd001ca1aa910
Arg4: fffff801afbb75da
Debugging Details:
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
Page 800 not present in the dump file. Type “.hh dbgerr004” for details
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10586.633.amd64fre.th2_release.161004-1602
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 04/14/2014
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: baad0073
BUGCHECK_P2: ffffd001ca1ab0f8
BUGCHECK_P3: ffffd001ca1aa910
BUGCHECK_P4: fffff801afbb75da
EXCEPTION_RECORD: ffffd001ca1ab0f8 – (.exr 0xffffd001ca1ab0f8)
.exr 0xffffd001ca1ab0f8
ExceptionAddress: fffff801afbb75da (rdbss! ??
::NNGAKEGL::`string’+0x000000000000743a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000070
Attempt to read from address 0000000000000070
CONTEXT: ffffd001ca1aa910 – (.cxr 0xffffd001ca1aa910)
.cxr 0xffffd001ca1aa910
rax=ffffc000b8f3c010 rbx=ffffe001c5367cd0 rcx=ffffe001c4a844b0
rdx=0000000000000000 rsi=ffffe001c4a40270 rdi=ffffe001c62a9838
rip=fffff801afbb75da rsp=ffffd001ca1ab330 rbp=0000000000000000
r8=0000000000000003 r9=ffffd001ca1ad000 r10=ffffd001ca1abf18
r11=ffffd001ca1ab300 r12=0000000000000000 r13=ffffd001ca1abef0
r14=ffffe001c62a9690 r15=ffffe001c65407d0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
rdbss! ?? ::NNGAKEGL::string'+0x743a: fffff801afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx
ds:002b:00000000`00000070=???
.cxr
Resetting default scope
CPU_COUNT: 1
CPU_MHZ: b54
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 25
CPU_STEPPING: 1
CPU_MICROCODE: 6,25,1,0 (F,M,S,R) SIG: 710’00000000 (cache) 710’00000000 (init)
PROCESS_NAME: SearchProtocolHost.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p
referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000070
FOLLOWUP_IP:
rdbss! ?? ::NNGAKEGL::string'+743a fffff801afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx
FAULTING_IP:
rdbss! ?? ::NNGAKEGL::string'+743a fffff801afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx
READ_ADDRESS: 0000000000000070
BUGCHECK_STR: 0x27
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
ANALYSIS_SESSION_HOST: LT704794
ANALYSIS_SESSION_TIME: 10-25-2016 09:56:37.0082
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
LAST_CONTROL_TRANSFER: from fffff801afb648aa to fffff801afbb75da
STACK_TEXT:
ffffd001ca1ab330 fffff801afb648aa : ffffd001ca1abef0 ffffe001c6c38300 ffffe001c62a9690 ffffe001c62a9690 : rdbss! ??
::NNGAKEGL::string'+0x743a ffffd001ca1ab3d0 fffff801afba4a96 : fffff801af4c7000
ffffe001c49b0d20 00000000c0000016 ffffe001c49b0c90 : rdbss!RxFsdCommonDispatch+0x2ba ffffd001ca1ab540 fffff801b0a46da5 : 0000000000000000
fffff80297a39001 0000000000000000 fffff801af4c7000 : rdbss!RxFsdDispatch+0x86 ffffd001ca1ab590 fffff801af4cdc6c : ffffe001c49b0c90
ffffe001c651eb50 ffffe001c4a40270 ffffc000b35be700 : mrxsmb!MRxSmbFsdDispatch+0x85 ffffd001ca1ab5d0 fffff801af4cc5fa : ffffc000b35be700
ffffe001c4455750 ffffe001c4a40270 ffffe001c62a9690 : mup!MupStateMachine+0x1dc ffffd001ca1ab640 fffff801ae3f7895 : ffffe001c67d8b80
0000000000000000 ffffe001c49b0c90 ffffe001c62a9600 : mup!MupClose+0x8a ffffd001ca1ab6a0 fffff801ae3f5816 : ffffe001c56b9580
fffff80297ada426 fffffd7ffffeef01 ffffe001c56b9640 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5 ffffd001ca1ab730 fffff801ae3f5842 : ffffe001c4875df0
ffffe001c4875df0 0000000000000000 0000000000000001 : FLTMGR!FltpDispatch+0xb6 ffffd001ca1ab790 fffff80297ed7cdd : ffffe001c4a40270
0000000000000001 ffffe001c62a9690 fffffa80035ce8f0 : FLTMGR!FltpDispatch+0xe2 ffffd001ca1ab7f0 fffff80297eac958 : ffffc000b6755890
0000000000000000 ffffe001c454ec60 0000000000000000 : nt!IopDeleteFile+0x12d ffffd001ca1ab870 fffff80297ad94a1 : 0000000000000000
0000000000000000 ffffc000b6755890 ffffe001c4a40270 : nt!ObpRemoveObjectRoutine+0x78 ffffd001ca1ab8d0 fffff80297e6c08f : 00000000000800a9
ffffe001c68678a0 ffffe00100000000 ffffe00174536d4d : nt!ObfDereferenceObject+0xa1 ffffd001ca1ab910 fffff80297b0f48a : ffffe001c68678a0
ffffd001ca1ab9d0 0000000000000001 0000000000000000 : nt!MiSegmentDelete+0x14b ffffd001ca1ab950 fffff80297a51ae4 : ffffe001c68678a0
ffffe001c532fb00 0000000000000000 0000000000000000 : nt!MiCleanSection+0x4e ffffd001ca1ab9f0 fffff80297a519b1 : ffffe001c68678a0
ffffe001c532fbc8 0000000000000000 00000000c6d440e8 : nt!MiAttemptSectionDelete+0x88 ffffd001ca1aba50 fffff80297a91835 : ffffe001c65dacd0
0000000000000000 ffffd001ca1abb10 ffffe001c4e1c010 : nt!MmFlushImageSection+0xc5 ffffd001ca1aba90 fffff80297a90c0a : ffffe001c65dacd0
ffffe001c65407d0 0000000000000001 0000000000000000 : nt!MiCanFileBeTruncatedInternal+0x149 ffffd001ca1abad0 fffff801afb9eba0 : 0000000000000011
ffffe001c65dacd0 ffffe001c65407d0 0000000000000000 : nt!MmCanFileBeTruncated+0x1e ffffd001ca1abb10 fffff801afb9c561 : ffffc000b8f3c010
0000000000000000 ffffc000b8f3c010 0000000000000000 : rdbss!_RxAcquireFcb+0x370 ffffd001ca1abb90 fffff801afb9bc01 : ffffe001c65dacd0
fffff801afb62b00 ffffd001ca1abdc0 ffffd001ca1abca8 : rdbss!RxFindOrCreateFcb+0x1c1 ffffd001ca1abc50 fffff801afba448e : ffffe001c6540930
ffffe001c6540704 ffffe001c6540930 0000000000000005 : rdbss!RxCreateFromNetRoot+0x111 ffffd001ca1abd60 fffff801afb64b65 : ffffe001c6540930
ffffe001c65dacd0 ffffd001ca1ac001 ffffe001c65407d0 : rdbss!RxCommonCreate+0x12e ffffd001ca1abe00 fffff801afba4a96 : ffffe001c6540978
0000000000000000 ffffe001c6632e70 ffffc000b34f4c50 : rdbss!RxFsdCommonDispatch+0x575 ffffd001ca1abf70 fffff801b0a46da5 : 0000000000000000
fffff80200000030 0000000000000000 0000000000000000 : rdbss!RxFsdDispatch+0x86 ffffd001ca1abfc0 fffff801afcc2848 : ffffc000b6593ab0
ffffd001ca1ac0b9 ffffe001c65407d0 ffffe001c5d7d1f0 : mrxsmb!MRxSmbFsdDispatch+0x85 ffffd001ca1ac000 fffff801afcbf89c : 0000000000000000
ffffc000b3ed5b30 ffffc000b8400c08 0000000000000000 : dfsc!DfscCmDataAccessState+0x4f8 ffffd001ca1ac120 fffff801afcbf750 : ffffe001c4f1e4b0
ffffe001c4f1e400 ffffc000b6593ab0 0000000000000000 : dfsc!DfscSurrogateCreate+0xcc ffffd001ca1ac1c0 fffff801af4cefe2 : ffffe001c4f1e420
ffffe00100000000 0000000000000000 ffffe001c6480c80 : dfsc!DfscSurrogatePreProcess+0x40 ffffd001ca1ac1f0 fffff801af4ce48d : 0000000000000000
ffffe001c4f1e370 0000000000000000 ffffe001c6632e70 : mup!MupCallSurrogatePrePost+0x122 ffffd001ca1ac250 fffff801ae3f7895 : 0000000000000280
0000000000000800 ffffd00100000008 ffffe00100000000 : mup!MupCreate+0x6dd ffffd001ca1ac350 fffff801ae4262d7 : ffffe001c57b03e0
fffff80297ebfa1e ffffe00100000001 0000000000000158 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5 ffffd001ca1ac3e0 fffff801ae4263fc : ffffe00100000000
ffffe001c49c3010 ffffd001ca1ac558 fffff801ae425d5d : FLTMGR!FltpCreate+0x347 ffffd001ca1ac490 fffff80297ece208 : 0000000000000000
0000000000000045 0000000000000000 0000000000000001 : FLTMGR!FltpCreate+0x46c ffffd001ca1ac540 fffff80297ec8042 : fffff80297a18000
fffff80297a18000 0000000000000001 fffff80297ecda40 : nt!IopParseDevice+0x7c8 ffffd001ca1ac710 fffff80297ec92ec : ffffe001c7bb6000
ffffd001ca1ac900 0000000000000040 ffffe001c454ec60 : nt!ObpLookupObjectName+0x992 ffffd001ca1ac890 fffff80297e5aac0 : de20000000000001
0000000000000028 00007ffcc021a930 00000000000000c0 : nt!ObOpenObjectByNameEx+0x1ec ffffd001ca1ac9b0 fffff80297b651a3 : ffffe001c67d4080
0000000000000000 ffffe001c67d4080 ffffe001c4882840 : nt!NtQueryAttributesFile+0x180 ffffd001ca1acc40 00007ffcc38d5884 : 0000000000000000
0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 000000ee6d9f7f38 0000000000000000 : 0000000000000000
0000000000000000 0000000000000000 0000000000000000 : 0x00007ffcc38d5884
THREAD_SHA1_HASH_MOD_FUNC: 6ccf7f0032c363ae95946da86f9d9a93dd1534c2
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 955828257a28d548159fb27bc7fae975983d6a7f
THREAD_SHA1_HASH_MOD: c6a24480004c19b0ef4a5ea81d666ddc6f25d42b
FAULT_INSTR_CODE: 704a3948
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: rdbss! ?? ::NNGAKEGL::`string’+743a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57f47ad1
STACK_COMMAND: .cxr 0xffffd001ca1aa910 ; kb
BUCKET_ID_FUNC_OFFSET: 743a
FAILURE_BUCKET_ID: 0x27_rdbss!??::NNGAKEGL::string
BUCKET_ID: 0x27_rdbss!??::NNGAKEGL::string
PRIMARY_PROBLEM_CLASS: 0x27_rdbss!??::NNGAKEGL::string
TARGET_TIME: 2016-10-24T01:32:22.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-10-05 14:18:01
BUILDDATESTAMP_STR: 161004-1602
BUILDLAB_STR: th2_release
BUILDOSVER_STR: 10.0.10586.633.amd64fre.th2_release.161004-1602
ANALYSIS_SESSION_ELAPSED_TIME: cff6
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x27_rdbss!??::nngakegl::string
FAILURE_ID_HASH: {4bde0109-c32e-d142-951b-e577b6c3653b}
Followup: MachineOwner
kd> !vm
Page File: ??\C:\pagefile.sys
Current: 720896 Kb Free Space: 700408 Kb
Minimum: 720896 Kb Maximum: 9037948 Kb
Page File: ??\C:\swapfile.sys
Current: 262144 Kb Free Space: 262136 Kb
Minimum: 262144 Kb Maximum: 6290764 Kb
No Name for Paging File
Current: 13231792 Kb Free Space: 13109276 Kb
Minimum: 13231792 Kb Maximum: 13231792 Kb
Physical Memory: 1048461 ( 4193844 Kb)
Available Pages: 718050 ( 2872200 Kb)
ResAvail Pages: 986450 ( 3945800 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 4294984306 (17179937224 Kb)
Modified Pages: 13251 ( 53004 Kb)
Modified PF Pages: 13184 ( 52736 Kb)
Modified No Write Pages: 0 ( 0 Kb)
NonPagedPool Usage: 232 ( 928 Kb)
NonPagedPoolNx Usage: 17541 ( 70164 Kb)
NonPagedPool Max: 4294967296 (17179869184 Kb)
PagedPool 0 Usage: 39290 ( 157160 Kb)
PagedPool 1 Usage: 6721 ( 26884 Kb)
PagedPool 2 Usage: 2362 ( 9448 Kb)
PagedPool 3 Usage: 2342 ( 9368 Kb)
PagedPool 4 Usage: 2455 ( 9820 Kb)
PagedPool Usage: 53170 ( 212680 Kb)
PagedPool Maximum: 4160749568 (16642998272 Kb)
Session Commit: 2864 ( 11456 Kb)
Shared Commit: 19037 ( 76148 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 8473 ( 33892 Kb)
Pages For MDLs: 484 ( 1936 Kb)
Pages For AWE: 0 ( 0 Kb)
NonPagedPool Commit: 16930 ( 67720 Kb)
PagedPool Commit: 53170 ( 212680 Kb)
Driver Commit: 9077 ( 36308 Kb)
Boot Commit: 13371 ( 53484 Kb)
System PageTables: 508 ( 2032 Kb)
VAD/PageTable Bitmaps: 6071 ( 24284 Kb)
ProcessLockedFilePages: 0 ( 0 Kb)
Pagefile Hash Pages: 41 ( 164 Kb)
Sum System Commit: 130026 ( 520104 Kb)
Total Private: 211024 ( 844096 Kb)
Misc/Transient Commit: 1911 ( 7644 Kb)
Committed pages: 342961 ( 1371844 Kb)
Commit limit: 1228685 ( 4914740 Kb)
Pid ImageName Commit SharedCommit Debt
9ec mcshield.exe 125076 Kb 6100 Kb 0 Kb
1d8 svchost.exe 53104 Kb 6100 Kb 0 Kb
618 PwdMgmtProxy.e 48004 Kb 6324 Kb 0 Kb
1434 SearchUI.exe 37844 Kb 8788 Kb 0 Kb
15c svchost.exe 32740 Kb 11340 Kb 0 Kb
624 OfficeClickToR 30268 Kb 6108 Kb 0 Kb
880 SearchIndexer. 30128 Kb 6968 Kb 0 Kb
234 SelfService.ex 27608 Kb 3148 Kb 0 Kb
17a0 CcmExec.exe 24604 Kb 14504 Kb 0 Kb
53c explorer.exe 22648 Kb 12244 Kb 0 Kb
169c OTEditTray.exe 21652 Kb 3316 Kb 0 Kb
12d8 SCNotification 19696 Kb 3112 Kb 0 Kb
3b4 svchost.exe 18484 Kb 5984 Kb 0 Kb
62c FireSvc.exe 18120 Kb 6048 Kb 0 Kb
1390 ShellExperienc 15720 Kb 4960 Kb 0 Kb
16e0 dwm.exe 14400 Kb 14520 Kb 0 Kb
3d0 svchost.exe 13972 Kb 5980 Kb 0 Kb
16e8 WmiPrvSE.exe 12500 Kb 6412 Kb 0 Kb
1128 SelfServicePlu 11468 Kb 7180 Kb 0 Kb
6d8 MADService.exe 10788 Kb 6020 Kb 0 Kb
428 IdentityAgent. 10084 Kb 7136 Kb 0 Kb
278 services.exe 9840 Kb 4784 Kb 0 Kb
bc4 svchost.exe 9472 Kb 6100 Kb 0 Kb
3ac svchost.exe 9296 Kb 6112 Kb 0 Kb
b4c concentr.exe 8972 Kb 7212 Kb 0 Kb
50c ucsync.exe 8836 Kb 3088 Kb 0 Kb
e10 WmiPrvSE.exe 8776 Kb 6244 Kb 0 Kb
634 HipMgmt.exe 8496 Kb 6060 Kb 0 Kb
2c0 svchost.exe 7520 Kb 6320 Kb 0 Kb
3d8 svchost.exe 7500 Kb 5984 Kb 0 Kb
608 svchost.exe 6848 Kb 6224 Kb 0 Kb
1728 Receiver.exe 6692 Kb 7280 Kb 0 Kb
c18 macompatsvc.ex 6452 Kb 6160 Kb 0 Kb
280 lsass.exe 6404 Kb 4464 Kb 0 Kb
560 spoolsv.exe 6396 Kb 6032 Kb 0 Kb
674 RuntimeBroker. 6240 Kb 6724 Kb 0 Kb
12fc msoia.exe 6148 Kb 7096 Kb 0 Kb
11fc mctray.exe 6112 Kb 6204 Kb 0 Kb
914 mfeann.exe 5888 Kb 6136 Kb 0 Kb
69c macmnsvc.exe 5596 Kb 6092 Kb 0 Kb
2f0 svchost.exe 5308 Kb 6032 Kb 0 Kb
1704 OneDrive.exe 5156 Kb 7144 Kb 0 Kb
758 svchost.exe 5088 Kb 6332 Kb 0 Kb
970 wfcrun32.exe 4708 Kb 3160 Kb 0 Kb
714 VsTskMgr.exe 4548 Kb 6040 Kb 0 Kb
688 masvc.exe 4392 Kb 6160 Kb 0 Kb
10f4 WmiPrvSE.exe 3932 Kb 14384 Kb 0 Kb
165c WmiPrvSE.exe 3908 Kb 6016 Kb 0 Kb
7b4 mfevtps.exe 3784 Kb 6008 Kb 0 Kb
f4c CmRcService.ex 3752 Kb 6016 Kb 0 Kb
1674 sihost.exe 3632 Kb 2836 Kb 0 Kb
16a8 dllhost.exe 3612 Kb 2636 Kb 0 Kb
1ae8 SearchFilterHo 3348 Kb 1932 Kb 0 Kb
18a0 shstat.exe 3336 Kb 3588 Kb 0 Kb
189c UpdaterUI.exe 2820 Kb 7176 Kb 0 Kb
13b8 SearchProtocol 2640 Kb 6476 Kb 0 Kb
1630 WmiPrvSE.exe 2500 Kb 2032 Kb 0 Kb
6ac mfevtps.exe 2484 Kb 6008 Kb 0 Kb
1588 mobsync.exe 2464 Kb 7124 Kb 0 Kb
908 mfefire.exe 2388 Kb 6020 Kb 0 Kb
d10 SearchProtocol 2364 Kb 6476 Kb 0 Kb
1780 WmiPrvSE.exe 2244 Kb 1932 Kb 0 Kb
144 svchost.exe 2136 Kb 5976 Kb 0 Kb
d0c taskhostw.exe 2068 Kb 7096 Kb 0 Kb
1310 winlogon.exe 1896 Kb 4772 Kb 0 Kb
1aec SearchProtocol 1852 Kb 6152 Kb 0 Kb
6b4 mfemms.exe 1852 Kb 6008 Kb 0 Kb
1d4 ssonsvr.exe 1736 Kb 3040 Kb 0 Kb
1b80 redirector.exe 1712 Kb 3032 Kb 0 Kb
2fc WUDFHost.exe 1584 Kb 1928 Kb 0 Kb
9d4 svchost.exe 1564 Kb 332 Kb 0 Kb
1c0 csrss.exe 1348 Kb 10112 Kb 0 Kb
928 conhost.exe 1256 Kb 1944 Kb 0 Kb
700 csrss.exe 1232 Kb 13084 Kb 0 Kb
5d0 armsvc.exe 1216 Kb 1944 Kb 0 Kb
12b0 reader_sl.exe 1212 Kb 3016 Kb 0 Kb
208 wininit.exe 1052 Kb 1900 Kb 0 Kb
fb4 userinit.exe 908 Kb 6312 Kb 0 Kb
110 smss.exe 388 Kb 228 Kb 0 Kb
4 System 284 Kb 204 Kb 0 Kb
1494 SkypeHost.exe 0 Kb 0 Kb 0 Kb
13ec MsPwdRegistrat 0 Kb 0 Kb 0 Kb
119c gpscript.exe 0 Kb 0 Kb 0 Kb
e04 explorer.exe 0 Kb 0 Kb 0 Kb
c6c sihost.exe 0 Kb 0 Kb 0 Kb
b3c smss.exe 0 Kb 0 Kb 0 Kb
9cc FireTray.exe 0 Kb 0 Kb 0 Kb
374 runonce.exe 0 Kb 0 Kb 0 Kb
248 winlogon.exe 0 Kb 0 Kb 0 Kb
1a4 MsPwdRegistrat 0 Kb 0 Kb 0 Kb
kd> !poolused /t 10 2
.
Sorting by NonPaged Pool Consumed
NonPaged Paged
Tag Allocs Used Allocs Used
MFEm 37 7346608 0 0 McAfee Anti-Virus
File System Filter Driver
EtwB 71 5689376 5 143360 Etw Buffer , Binary: nt!etw
MFE0 41084 4203104 0 0 Multiple McAfee Drivers
File 9275 3395120 0 0 File objects
VM3D 10 3163168 1 64 Volume Manager ,
Binary: volmgr.sys
Thre 1368 2903488 0 0 Thread objects ,
Binary: nt!ps
FMsl 13291 2551872 0 0 STREAM_LIST_CTRL
structure , Binary: fltmgr.sys
Ntfx 7314 2476016 0 0 General
Allocation , Binary: ntfs.sys
ConT 260 2338816 0 0 UNKNOWN pooltag
‘ConT’, please update pooltag.txt
MmPb 3 1789952 0 0 Paging file
bitmaps , Binary: nt!mm
MmCa 5433 1772416 0 0 Mm control areas
for mapped files , Binary: nt!mm
Pool 8 1721920 0 0 Pool tables, etc.
EtwR 6764 1487584 0 0 Etw Registration
, Binary: nt!etw
Even 10735 1380128 0 0 Event objects
MmCi 2314 1299728 0 0 Mm control areas
for images , Binary: nt!mm
Vad 8042 1286720 0 0 Mm virtual
address descriptors , Binary: nt!mm
TOTAL 193640 70439632 197400 213654496