I recently started having issues with one system which has Windows Server 2012 R2 and seems to have a memory leak. The non-paged memory will reach 8.9GB out of a total of 10GB in the course of 12 hours.
This is something that I have never dwelved into but seemed to be pretty straight-forward until I identified the tags which I think are behind the leak; problem is I cannot match the tags to anything that I know of or Google shows me, and so I am at loss about what steps to take from here.
Since the issues started fairly recently, I have a few culprits in mind:
- The guest OS is a VM running on an ESXi host, the host was updated to ESXi v6.7 about a week ago (VMware tools also updated), even though the problem just started 2 days ago.
- The OS has Panda Adaptive Defense 360 installed, this has been installed 2 or 3 weeks ago but it's possible that an update may have been installed and would now be wreaking havok.
- The last Windows update was installed 3 days ago, this is the one that I am least inclined to believe is involved, but we never know.
I'll keep on grinding, but in the meantime any help would be appreciated.
BTW, here are some screenshots:
UPDATE1: After rebooting the tag YHAN disappeared while the LHAN tag is now occupying a mere 259KB. I will keep an eye using Poolmon and maybe Windows Performance Recorder. Still, any theory is welcome.
UPDATE2: Using the helpful suggestion from HelpingHand's comment, I tried searching for the strings "LHAN" and "YHAN" inside all the files in the System32\drivers folder. To my surprise one file contained both strings: NNSNAHSL.sys:
File description: Network Activity Hook Server LWF
File version: 6.0.0.68
Product name: Nano Network Security
Product version: 4.2.0.404
Legal copyright: © Panda 2017
Original filename: NNSNAHSL.SYS
The only reason why I'm not putting HelpingHand's suggestion as an answer (yet) is because I am still not sure how the leak I am having was triggered and so cannot do further testing for the time being. LHAN is still the only of both tags appearing in the pool monitoring and is keeping it's allocation size at 259KB.
ANSWER: Since this question was marked as duplicate, while ignoring the specifics of the question and answer, I'll leave the answer right here in the question's body:
** After tracking down the potential driver (NNSNAHSL.SYS) I tried to find when the leak was triggered and why in order to analyse and remedy the situation instead of just assuming that it must be this or that driver but not be sure if it was and how it was leaking. It turns out that the leakage started, and was much more noticable, every time a network comunication took place. Copying a large file (~3GB) across the network would immediatly make the non-paged memory mapping skyrocket. After some trial and error I found that the issue was caused by a conflict between WinPcap driver and Panda's Network Activity Hook Server LWF driver. The issue was happening with some frequency because I was using XArp which is contantly collecting data actively using WinPcap. Disabling one of the two completely solves the issue. The reason why I think this question and answer deserve to be considered unique is because of teh particularity of the issue and the tags. Although I agree that the linked Windows 10 high memory usage (unknown reason) question/answer is far more informative in generic terms.**
No comments:
Post a Comment