Finding Memory Leaks with PoolMon

Clint Colding
Jun 2, 2019 · 2 min read

I’m going to start off by showing you a graph, a graph of one of our Windows applications memory usage…

Image for post
Image for post
Memory Usage

Obviously this isn’t normal, even for Windows, but how do you go about figuring out exactly whats going on?

A quick look at task manager showed nothing of concern, in fact, adding up all of the processes memory, didn’t even add up to the total amount of RAM that was being reported as used.

Moving to the RAM Performance tab we see an ungodly 2.6 GB of Non-paged pool memory. Under normal circumstances this number is in the 200–300 MB range.

Image for post
Image for post
Insane Non-paged pool size

A quick search tells us that we have a memory leak. Below is the play by play for figuring out where it is.

Download the Windows Driver Kit from Microsoft.

Install the WDK on your workstation.

Navigate to C:\Program Files (x86)\Windows Kits\10\Tools\x64 and copy poolmon.exe to the target machine.

Now run poolmon /b to start PoolMon and sort by number of bytes:

Image for post
Image for post

A good indicator of a driver that’s leaking memory is when its allocating memory faster than its freeing it.

Once you’ve found a suspect process, note the Tag assigned to it, in my case its MFeS. You can now use the tag to determine the specific driver(s) it’s associated with:

Set-Location "C:\Windows\System32\drivers"
Select-String -Path *.sys -Pattern "MFeS" -CaseSensitive | Select-Object FileName -Unique

The MFeS tag ended up being associated with mfeavfk.sys, which is a McAfee driver from the Endpoint Security Platform component. Working with McAfee, they fixed this issue in Release 5.6.0 reference 1253234.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store