Mystery tag "Even" using all non-paged pool memory on Windows 2000 Server

Evan_McNally · July 23, 2004, 1:28pm

I am trying to identify a tag called “Even” that is consuming upwards to
178MB of non-paged pool on a windows 200 terminal server. It starts around
40MB, then grows until the server hangs.

I used poolmon to pin the problem down to this tag, but I cannot seem to
find out what driver owns it. No pooltag.txt file was installed with
poolmon, and I cannot locate this file in the .Net SDK or Windows DDK as
some articles have stated. Poolmon /c gives an error about missing DLLs,
and I am not sure that the /c command is even supported on Win2000.
Searching inside the c:\winnt\system32\drivers*.sys drivers turns up about
30 files with this tag.

Some articles I have read indicate to use a debugger and set a break point
to find who owns “Even”, but I am a network admin not a programmer and
frankly do not know how to do this nor know if it advisable to set this up
on a production server–I am willing to learn if this is what I have to do.

Thanks for any help at all!

Evan McNally
“Offcicial whipping boy of a bad server”

Rob_Green · July 23, 2004, 1:47pm

Even - - Event objects
Pooltag.txt is in the triage directory of the debugging tools (windbg)

Thanks,
Rob

> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-182281-
> xxxxx@lists.osr.com] On Behalf Of Evan McNally
> Sent: Friday, July 23, 2004 1:29 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Mystery tag “Even” using all non-paged pool memory on
> Windows 2000 Server
>
> I am trying to identify a tag called “Even” that is consuming upwards to
> 178MB of non-paged pool on a windows 200 terminal server. It starts
> around
> 40MB, then grows until the server hangs.
>
> I used poolmon to pin the problem down to this tag, but I cannot seem to
> find out what driver owns it. No pooltag.txt file was installed with
> poolmon, and I cannot locate this file in the .Net SDK or Windows DDK as
> some articles have stated. Poolmon /c gives an error about missing DLLs,
> and I am not sure that the /c command is even supported on Win2000.
> Searching inside the c:\winnt\system32\drivers*.sys drivers turns up
> about
> 30 files with this tag.
>
> Some articles I have read indicate to use a debugger and set a break point
> to find who owns “Even”, but I am a network admin not a programmer and
> frankly do not know how to do this nor know if it advisable to set this up
> on a production server–I am willing to learn if this is what I have to
> do.
>
> Thanks for any help at all!
>
> Evan McNally
> “Offcicial whipping boy of a bad server”
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cdp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 23, 2004, 2:06pm

If you have a late model Poolmon from the DDK you can use poolmon -c
To create a localtag.txt file which maps as many tags as it can find to
their files. This helps if its not one we have seen.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rob Green
Sent: Friday, July 23, 2004 10:46 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Mystery tag “Even” using all non-paged pool memory
on Windows 2000 Server

Even - - Event objects
Pooltag.txt is in the triage directory of the debugging tools (windbg)

Thanks,
Rob

> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-182281-
> xxxxx@lists.osr.com] On Behalf Of Evan McNally
> Sent: Friday, July 23, 2004 1:29 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Mystery tag “Even” using all non-paged pool memory on
> Windows 2000 Server
>
> I am trying to identify a tag called “Even” that is consuming upwards
to
> 178MB of non-paged pool on a windows 200 terminal server. It starts
> around
> 40MB, then grows until the server hangs.
>
> I used poolmon to pin the problem down to this tag, but I cannot seem
to
> find out what driver owns it. No pooltag.txt file was installed with
> poolmon, and I cannot locate this file in the .Net SDK or Windows DDK
as
> some articles have stated. Poolmon /c gives an error about missing
DLLs,
> and I am not sure that the /c command is even supported on Win2000.
> Searching inside the c:\winnt\system32\drivers*.sys drivers turns up
> about
> 30 files with this tag.
>
> Some articles I have read indicate to use a debugger and set a break
point
> to find who owns “Even”, but I am a network admin not a programmer and
> frankly do not know how to do this nor know if it advisable to set
this up
> on a production server–I am willing to learn if this is what I have
to
> do.
>
> Thanks for any help at all!
>
> Evan McNally
> “Offcicial whipping boy of a bad server”
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cdp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · July 25, 2004, 10:53am

Event object.

Created by either Win32’s CreateEvent or kernel’s IoCreateXxxEvent.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Evan McNally”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Friday, July 23, 2004 9:28 PM
Subject: [ntdev] Mystery tag “Even” using all non-paged pool memory on Windows
2000 Server

> I am trying to identify a tag called “Even” that is consuming upwards to
> 178MB of non-paged pool on a windows 200 terminal server. It starts around
> 40MB, then grows until the server hangs.
>
> I used poolmon to pin the problem down to this tag, but I cannot seem to
> find out what driver owns it. No pooltag.txt file was installed with
> poolmon, and I cannot locate this file in the .Net SDK or Windows DDK as
> some articles have stated. Poolmon /c gives an error about missing DLLs,
> and I am not sure that the /c command is even supported on Win2000.
> Searching inside the c:\winnt\system32\drivers*.sys drivers turns up about
> 30 files with this tag.
>
> Some articles I have read indicate to use a debugger and set a break point
> to find who owns “Even”, but I am a network admin not a programmer and
> frankly do not know how to do this nor know if it advisable to set this up
> on a production server–I am willing to learn if this is what I have to do.
>
> Thanks for any help at all!
>
> Evan McNally
> “Offcicial whipping boy of a bad server”
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com