Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
388 views
in Technique[技术] by (71.8m points)

windows - How to determine NonPaged pool leak using WPA

Got an issue on Windows OS - NP pool slowly increases in size, and after several weeks consumes up to several GBs. Tried to determine the faulty driver(?), but running this:

xperf -on proc_thread+loader+pool -stackwalk poolalloc -MaxFile 1024 -FileMode Circular

twice (after machine restart and after several hours) gives me this:

WPA analysis

i.e., I do not see any information about processesdlls which can be responsible for the leakage. Am I missing some arguments while taking the trace, or WPA is not enough in order to find some types of leakages?

@magicandre1981 The thing is that in my case Stack is not listed: WPA I can't rely on Impacting size here, because the leakage goes very slowly here, but 400 MB for NP pool is too big.

PoolMon shows that mainly Irp & FMic are leaking:

PoolMon right after restart

PoolMon after several hours


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Big thanks to @magicandre1981. Was discussed already https://superuser.com/a/949246/174557, but just wanted to add - we should concentrate on AIFO pool type and search for suspicious modules inside each pool tag (in my case I was interested in Fmic, Even & IRP). Once it's done - disable applicationdriver one by one and check the results. For some reason WPA sorts the data by Pool Tag, and Type column is not enabled by default. Eventually, it should look like this Windows Performance Analyzer NP pool trace


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...