In some cases you can see some troubles with memory overflow on computers and servers running Windows related to the leak of a system driver that stores its data in the non-paged memory. Non-paged memory pool is the part of the computer’s RAM, which is used by the kernel and the drivers of the operation system. Non-paged pool is never swapped to the disk (to the paging file), it is always stored only in the physical memory.
You can see the current size of the non-paged memory in the Memory section of the Performance tab in the Task Manager. The screenshot below shows that almost all memory of the server is busy, and the most part of it is occupied by the non-paged pool 4.2GB. Normally, the size of the non-paged pool rarely exceeds 200-400MB. This usually indicates that there is a memory leak in some system component or driver.
With this memory overflow problem on the server, the following messages may appear in the event log:
The server was unable to allocate from the system Non-Paged pool because the pool was empty.
In most cases, the reason of the memory leak described above is some problems with the third-party drivers installed in the system. As a rule, these are network drivers. Please, pay attention to the pool behavior when downloading large files (it is likely to grow fast up to 128GB or 75% of physical memory in x64 systems). Only the Windows reboot helps to clean up the pool. It may be acceptable for a home computer, but you should find a better solution for a server working 24/7.
Install the Latest Versions of Network Adapter Drivers
Try to download and install the latest driver versions for your network adapters from the vendor’s website.
If the automatic driver update is enabled, make sure that the problems didn’t appear after the installation of the new drivers. Try to roll back to the previous driver version and see if the problem persists. If the problem is solved, disable automatic driver update.
Disable the Network Data Usage Driver
Quite often the incompatibility of the Network Data Usage (NDU) and network adapter drivers may be the reason of the memory leak in the non-paged pool. This service can be disabled without much loss of Windows functionality.
The service can be stopped using this command:
sc config NDU start= disabled
Or through the registry:
- Open the Registry Editor (regedit.exe);
- Go to registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndu\;
- Change the value of the Start parameter to 4.
After making changes you need to restart your computer.
Disable the Hyper-V Role
In some cases the installed Hyper-V role results in memory leak to the non-paged pool. If you don’t need this role, we recommend to disable it.
Using PoolMon to Find a Kernel-Mode Memory Leak
If the methods described above did not help, you can try to find out, which driver causes the memory leak to the non-paged pool using a console tool Poolmoon.exe (included in Windows Driver Kit – WDK). Download and install WDK for your Windows version from Microsoft website. Then start Poolmon.exe (in case of WDK for Windows 10, the tool is located in C:\Program Files (x86)\Windows Kits\10\Tools\ folder).
After you have started the tool, press P. In the second column the tags of processes using non-paged memory will be left (Nonp attribute), then sort the drivers list by the Bytes column (by pressing B).
You can see that in our example the drivers with Nr22, ConT and smNp tags are using the most part of RAM in the non-paged pool.
You can find the exact driver files related to these processes using the following commands:
findstr /m /l /s Nr22 %Systemroot%\System32\drivers\*.sys
findstr /m /l /s ConT %Systemroot%\System32\drivers\*.sys
findstr /m /l /s smNp %Systemroot%\System32\drivers\*.sys
So we have got the list of driver files that may cause the problem. Now you have to determine what drivers and system components these files refer to by their names. To do it, you can use sigcheck by Sysinternals.
sigcheck C:\Windows\System32\drivers\rdyboost.sys
The tool returns the name, description and version of the driver or Windows component.
Now you can try to uninstall/update/reinstall the problem driver or service.
This guide is applicable both for Windows Server 2008/2012R2/2016, as well as for desktop Windows 10, 8.1 and 7.
2 comments
It’s all so clear until we come to the sigcheck part in the PoolMon step. You just give us a command but it does nothing. Now I’m stuck knowing that ndis.sys is using 4.8GB ram in my non-paged pool but I don’t know what it is. When I Google for sigcheck I can find an exe file for it but that also does nothing. Why do everything so perfect but stop being clear right at the end? What do I do now?
You can download the Sigcheck tool from the Microsoft site (_https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck)
Then open an elevated cmd, go to the directory with Sigcheck.exe and run the command:
sigcheck your_path\ndis.sys