Finding Memory Leaks with PoolMon
I’m going to start off by showing you a graph, a graph of one of our Windows applications memory usage…
Obviously this isn’t normal, even for Windows, but how do you go about figuring out exactly whats going on?
A quick look at task manager showed nothing of concern, in fact, adding up all of the processes memory, didn’t even add up to the total amount of RAM that was being reported as used.
Moving to the RAM Performance tab we see an ungodly 2.6 GB of Non-paged pool memory. Under normal circumstances this number is in the 200–300 MB range.
A quick search tells us that we have a memory leak. Below is the play by play for figuring out where it is.
Download the Windows Driver Kit from Microsoft.
You only need the WDK, disregard the Visual Studio downloads.
Install the WDK on your workstation.
You can install the WDK anywhere, once installed we’ll grab the actual PoolMon file.
Navigate to C:\Program Files (x86)\Windows Kits\10\Tools\x64 and copy poolmon.exe to the target machine.
Now run poolmon /b to start PoolMon and sort by number of bytes:
A good indicator of a driver that’s leaking memory is when its allocating memory faster than its freeing it.
Once you’ve found a suspect process, note the Tag assigned to it, in my case its MFeS. You can now use the tag to determine the specific driver(s) it’s associated with:
Set-Location "C:\Windows\System32\drivers"
Select-String -Path *.sys -Pattern "MFeS" -CaseSensitive | Select-Object FileName -UniqueThe MFeS tag ended up being associated with mfeavfk.sys, which is a McAfee driver from the Endpoint Security Platform component. Working with McAfee, they fixed this issue in Release 5.6.0 reference 1253234.
