Re: windbg digest: January 17, 2004

Hi Praveen

You don’t mention what OS you are running, but in order to actully determine the kernel leak you can do some some quick tests that you can do to determine if a leak in pool memory is kernel mode:

· Leaks in “Memory\Pool Nonpaged Bytes” and “Memory\ Pool Paged Bytes” may be instigated by a kernel mode driver or a user mode process. Determining this first will help narrow the scope and possible cause of the leak.

· Where there is no matching process object counter, it is likely being caused by a kernel mode driver. Often the System process is an indication of an underlying bad driver.

Once you have actully dertermined the leak, then you can start analyzing this the kernel mode. Kernel mode memory is referred to as Pool memory, which user mode memory is called Heap memory. When you discover a leak in Paged Pool memory or Nonpaged Pool memory, you are troubleshooting a kernel mode memory leak.

One key element to this troubleshooting is using Pool Tagging. Pool Tagging enables the kernel to “tag” every allocation and free request for memory, which can be tracked by memsnap or a debugger. A pool tag is a unique 4-character ASCII code that helps identify each driver or system component that requests kernel mode pool allocations.

Just as Memsnap is used for troubleshooting user mode memory leaks, it is also used for troubleshooting kernel mode leaks. Poolsnap was formerly used to take snapshots of pool memory, but this feature is now integrated into memsnap in Windows XP and Windows Server 2003. Poolmon is another tool that is focused specifically on monitoring kernel mode memory, and provides additional detail not included in Memsnap output.

Typically when troubleshooting suspected kernel mode memory leaks, you will start with Performance logging to verify that there is an increase in Paged or Nonpaged pool usage over time. Once that has been established, you can use Memsnap, Poolmon, or kernel mode memory dumps to analyze pool usage.

Performance logging is typically the first troubleshooting step used when kernel mode leaks are suspected. To log useful data, add the following counters from the Memory object:

· Pool Nonpaged Allocs

· Pool Nonpaged Bytes

· Pool Paged Allocs

· Pool Paged Bytes

Once you have logs gathered, check for upward trends in Nonpaged bytes and Paged bytes. When you need to gather more detailed information on which components are leaking pool memory, move on to memsnap or poolmon.

In a nutshell, then tools I would use is:
Location: Memsnap is available in the Support Tools for Windows Server 2003.

Poolmon Analysis

Location: Poolmon is available in the Support Tools for Windows Server 2003.

Poolmon –n “C:\Poolmon.log” –c –g –b

In windbg:

· !vm – This command provides a list of vital memory statistics. If the system is running out of Paged Pool or Nonpaged Pool memory, a warning is displayed.

· !poolused 3 – This command returns output similar to memsnap –p, showing all pool tags, and sorting the output in descending order of Nonpaged pool used.

· !poolfind – The !poolfind command enables you to locate information about a particular pool tag. The must be exactly 4 characters unless the * or ? wildcards are used.

With these commands, you can typically locate the problem tag using the same logic as when using the results from Memsnap.

Anyway, have a great day and have fun with your memory leak.


Hi All,

I need a help to analyze a crash dump file received from our customer site. Our customer have reported a memory leak issue in the driver we delivered, along with a forcefully generated (through keyboard) dump file. After an initial set of analysis we have seen that the paged pool is almost fully consumed.

Unfortunately we didn’t have ourown pool tag for the allocations. So I cannot identify the memory usage of my drivers. Actually I have two driver modules, hence it is needed to find the exact location from the memory dump itself and report to the customer.

Is there any method in windbg to identify the per module paged pool usage from the memory dump? If we see an allocated memory location, is it possible to identify the location from where this allocation was made?

Best Regards

Yahoo! Messenger - Communicate instantly…“Ping” your friends today! Download Messenger Now