Author: MastoidMan
Subject: RamMap - Nonpaged Pool
Posted: 02 August 2013 at 5:57pm
Hi, and thanks for the response.
Subject: RamMap - Nonpaged Pool
Posted: 02 August 2013 at 5:57pm
Hi, and thanks for the response.
I watched the video and read the article as advised. I had already download xPerf, but had not gotten the "Windows Drivers Kit" as advised in the article. I downloaded it and set it up.
I ran "poolmon" as "poolmon -b -n poolmonlog1.txt" in the c-prompt to an output file. The first and biggest 10 rows are below.
Tag Type Allocs Frees Diff Bytes Per Alloc
CM31 Paged 18957 0 18957 89583616 4725
MmSt Paged 20432 2937 17495 35380928 2022
CM25 Paged 4968 0 4968 22323200 4493
RaME Nonp 1 0 1 18735104 18735104
CIcr Paged 170121 164102 6019 15145040 2516
Ntff Paged 11996 517 11479 14142128 1232
NtfF Paged 11572 4317 7255 10215040 1408
MmRe Paged 1954 956 998 9965936 9985
FMfn Paged 62007 43299 18708 8281024 442
File Nonp 538794 520834 17960 5970144 332
MmSt Paged 20432 2937 17495 35380928 2022
CM25 Paged 4968 0 4968 22323200 4493
RaME Nonp 1 0 1 18735104 18735104
CIcr Paged 170121 164102 6019 15145040 2516
Ntff Paged 11996 517 11479 14142128 1232
NtfF Paged 11572 4317 7255 10215040 1408
MmRe Paged 1954 956 998 9965936 9985
FMfn Paged 62007 43299 18708 8281024 442
File Nonp 538794 520834 17960 5970144 332
If I understand this correctly, I should be looking for the highest "NonP" or nonpooled return? That would be "RaME". Is this where you would start, or am I off target?
I also ran the big long xperf for about 30-45 seconds that was in the video. Quite a large file, but as he was looking for a specific leak that he caused, I'm looking for what is right now, a needle in the haystack. The command I ran was "Xperf -on PROC_THREAD+LOADER+POOL -stackwalk PoolAlloc+PoolFree+PoolAllocSession+PoolFreeSession -BufferSize 1024" and then "xperf -stop -d pool0802.etl" to stop it.
Is there anything in that that might be helpful to know?
Thanks.