yubas.blogg.se - Poolmon.exe how to use

#POOLMON.EXE HOW TO USE INSTALL#
#POOLMON.EXE HOW TO USE DRIVERS#
#POOLMON.EXE HOW TO USE DRIVER#

Bytes (number of bytes allocated minus number of bytes freed).When data collection is complete, examine the following values for each tag, and note any that continually increase:.NOTE: for the seconds, McAfee recommends every 15 minutes. To be able to take multiple snapshots over time the below script can off.IMPORTANT: Repeat this every 30 minutes for at least two hours. Stop PoolMon, wait for a 30 minutes, and then restart PoolMon.Let PoolMon run for at least few hours, sometimes it might need to run for few days. IMPORTANT: To obtain the most accurate results, follow the instructions below accurately. Starting PoolMon changes the data, therefore you must let it run until it reaches a steady state and the data is reliable. This example outlines a procedure for using PoolMon to detect a memory leak:.

#POOLMON.EXE HOW TO USE INSTALL#

Install PoolMon on the computer you want to test, following the Microsoft product instructions.

#POOLMON.EXE HOW TO USE DRIVER#

Poolmon.exe is contained in Microsoft Windows Driver Kit (WDK).

Type the following command and press ENTER:.

Click Start, Run, type cmd, and press ENTER.

Enable pool tagging by using the command line:.

In the dialog box, enable Enable Pool Tagging.

Enable pool tagging by using a dialog box:.

If you are using Windows 2003 or later, skip to Step 2.

If you are using XP, enable pool tagging as follows.

You must enable Gflags.exe to enable pool tagging. Pool tagging is permanently enabled on Windows Server 2003 and later. In this example the FILE tag usage comes from a tool called locate32 which scans the HDD to build up its search index.IMPORTANT: This applies if you want to use PoolMon on Windows XP or earlier. From the function names you may have any idea what is going on. Now open it in WPA.exe, load the debug symbols and look for the tag that you saw in poomon under AIFO ( allocated insde freed outside) and expend the stack. MaxFile 1024 -FileMode Circular & timeout -1 & xperf -d C:\trace_pool_alloc.etl Xperf -on BASE+Pool -stackwalk PoolAlloc+PoolFree -buffersize 2048 Next open a cmd prompt (cmd.exe) as admin and run this: First, you have to install the Windows Performance Toolkit. If you find the tag in the pooltag.txt, you need to capture a grow of the pool usage with xperf. If you can't find a driver to the pooltag, look in the pooltag.txt if the tag is used by a Windows driver. Click Properties, go to the details tab to find the Product Name.

#POOLMON.EXE HOW TO USE DRIVERS#

Now, go to the drivers folder (C:\Windows\System32\drivers) and right-click the driver in question ( intmsd.sys in the above image example). Then type findstr /s _ *.*, where _ is the tag that you see in poolmon.Īfter doing this to see which driver uses this tag: To do this, open cmd prompt and type "cd C:\Windows\System32\drivers" to go to the drivers directory, without quotes. Now open a cmd prompt and run the findstr command. Now look which pooltag uses most memory as shown here: Run poolmon by going to the folder where WDK is installed, go to Tools (or C:\Program Files (x86)\Windows Kits\8.1\Tools\圆4) and click poolmon.exe. Install the Windows WDK, run poolmon, sort it via P after pool type so that non paged is on top and via B after bytes to see the tag which uses most memory. You can use poolmon to see which driver is causing the high usage. Look at the high value of nonpaged kernel memory.

You have a memory leak caused by a driver, not by an application.