Recently I spent some time figuring out the root cause for one of our servers getting stuck - memory usage would increase up to 98% after about five days of working. Resource Monitor (Windows native tool) wasn't showing anything interesting regarding the issue so I had to come up with a different approach. Here's an example and please, look at how a large amount of non-paged memory is in use:
As we know, non-paged memory cannot be stored on a disk and the bad news was that it kept growing. I was searching the Internet in order to find a useful tool, similar to Windows Resource Monitor (but better). I found Kernel Pool Monitor by Pavel Yosifovich. That was a real game-changer that helped me found which application was causing the issue. I found many sys files residing in the memory where pages were tagged in the following way:
C:\>findstr /S /M MFeS *.sys C:\>findstr /S /M NCPc *.sys C:\>findstr /S /M MFE0 *.sys C:\>findstr /S /M NCm1 *.sys |
I had done a few screenshots before as I was expecting that McAfee might have had something to do with this.
A friend of mine who is responsible for the enterprise antivirus solution used McAfee's Profiler and found a few processes he thought it would be safe to exclude from scanning. That was it. After he did it, everything went back to normal. McAfee is in place and all the systems work just fine. The problem is gone (plenty of allocations made by McAfee, however, not enough 'Frees' (de-allocations) so the Diff value was enormous).