A WFP callout driver at the stream layer (FWPS_LAYER_STREAM_V4)
We are observing gradual exhaustion of non-paged pool (NPP) memory on Windows Server (Version: [Windows Version, e.g., 2019/2022]), traced back to srv2.sys (SMB2 server driver).
The issue appears when SMB2 TREE CONNECT requests enter a PENDING state for 1-2 milliseconds to Windows Filtering Platform (WFP) inspection, causing srv2.sys to retain kernel memory allocations indefinitely.
- Non-paged pool memory growth (visible via
poolmon.exewithLS2b,LShs, or related tags). - Eventual system instability (performance degradation, crashes) due to NPP exhaustion.
- PoolMon Analysis:
- Identified SRV2.SYS as the top consumer of NPP memory.
- Tags like LS2b, LShs, LS2c etc. show abnormal growth.
- Total Physical Memory: 16GB
- LS2b → 4047988752 → 4GB -> SMB2 buffer, Binary: srv2.sys
- LShs → 3112506528 → 3GB -> SMB2 lease hash table, Binary: srv2.sys
- LS2c → 219593696 → 219 MB → SMB2 connection, Binary: srv2.sys
