locked
xperf reports 2 unidentified process hogging about 6.5GB RAM on a 8GB system. RRS feed

  • Question

  • I have a system where Task Manager and Resource monitor couldn't explain memory usage, 80~95% of 8GB total where private sets didn't sum over 2GB. Using xperf I was able to track down memory usage. When running xperf/WPA I get 2 processes listed as 

    Process MB

    #1 Unknown (-1) 4550145

    PageTable 3580164

    VirtualAlloc_PreTrace 895039

    #2 N/A 2015496

    NonPagedPool 607391

    PagedPool 594863

    Image 289297

    MapFile 276258

    MetaFile 152297

    SessionPrivate 38230

    Driver 35766

    ..... List goes on with the processes listed on task manager such as svchost/explorer/wpa etc.

    Of the two unidentified processes, #2 N/A seems to be something system related judging from where the resources go. Usually the PageTable contained under process #1 Unknown (-1) is shown separately so that I can see where the memory is going. Does anybody have seen this issue?
    Saturday, July 4, 2015 7:32 AM

Answers

  • The ETL file opens then crashes WPA (win 10 version).  I do note there are very few switches enabled regarding memory.  I wounder if you could run a windows performance trace (instead of Xperf) using these switches

    In order to diagnose your problem we need to run Windows performance toolkit the instructions for which can be found in this wiki


    Wanikiya and Dyami--Team Zigzag

    Sunday, July 5, 2015 11:50 AM

All replies

  • I have indeed seen this in ETL files and it is often a result of malware (especially with "unknow" processes) Just to eliminate the possibility I would run malwarebytes.

    If you are interested we could take a look at the trace if you upload it to one driver (or any file sharing service) and put a link to it in your next post.

    Please download the free version of Malwarebytes.
    Update it immediately.
    Do a full system scan
    Let us know the results at the end.

    http://www.malwarebytes.org/products




    Wanikiya and Dyami--Team Zigzag

    Saturday, July 4, 2015 10:55 AM
  • I have ran MBAM complete scan which found only traces of PUP (Counduit Tool Bar) and nothing else. Found an options to include rootkit scan, then ran again with zero results.

    https://drive.google.com/file/d/0BxR9ePWLl9duMUVTVFFjQURQY2c/view?usp=sharing

    Thats the link to the ETL file (system up time of approx. 3 days.) 

    Additional information:

    When scanning I saw that MBAM took a long time scanning C:\Windows\Installer folder, analyzing with HDGraph I can see that the windows folder consists of 61.1GB and that the Installer sub folder corresponds to 26.6GB of that volume (other major part was winsxs with 18GB which is about average for a Windows 7 Ultimate).

    Another thing is that the RAM usage after a reebot is low/normal (about 25%~30%) and that ETL was created with an up time of 3 days. I still haven't managed to determine if the usage climbs up slowly or if it peaks after a specific action.

    Retrieving a new ETL file with a system up time of about one hour shows the N/A process consuming about 6GB where about 5GB goes to MapFile (which I think is windows file cache for faster access. Right?) that memory is (probably) tagged as available in task manager, and is released on demand I assume.
    • Edited by Psiki Saturday, July 4, 2015 8:53 PM Adding additional info
    Saturday, July 4, 2015 8:24 PM
  • The ETL file opens then crashes WPA (win 10 version).  I do note there are very few switches enabled regarding memory.  I wounder if you could run a windows performance trace (instead of Xperf) using these switches

    In order to diagnose your problem we need to run Windows performance toolkit the instructions for which can be found in this wiki


    Wanikiya and Dyami--Team Zigzag

    Sunday, July 5, 2015 11:50 AM
  • Hi,

    We hope your issue has been resolved, if you've found solution by yourself or any useful reply. you could share with us and mark/propose it as answer instead of us.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 14, 2015 1:02 AM