none
Memory Leak on Windows Server 2008 R2 RRS feed

  • Question

  • In last few weeks we are keep seing server with high memory usage on them. Almost everyday I have to reboot the server to get the memory back. Rebooting keeps the memory down for about a day or few days. Doesn't seem to matter if there are people in the building or not.

    Symptoms include the expected slowness as the physical memory approaches maximum available. What's strange is that I am not seeing a rising non-paged pool size. Because of this, I don't really know how to go about investigating this problem.

    Running following.

    1 RAMMAP show that Paged Pool is using the most memory.

    2. Poolmon show that Toke is using most Bits.

    3. Handle show that current token are 1491.

    Running the Handle -a -p lsass.exe  show that lsass has 425 tokens.

    How do I found out what is causing the memory issue. What is using the the memory for Toke to leak so much memory.

    • Edited by lalaJee Tuesday, March 10, 2020 12:30 PM
    Tuesday, March 10, 2020 12:27 PM

Answers

  • As you can see below, there is some driver using TOKEn object, which is leaking..

    it start at 1.9GB and in 1:15h it arrive at 2.01GB

    So, it is leaking 60MB per hour.

    So, we have to find out what drivers is using the TOKE tag. so, go in \windows\system32\drivers and run

    findstr /m /l toke *.sys

    Than, using Autoruns as you did above, give a look at your installed driver if there is any other driver loading from a different path and go to that path to check for those drivers too. Or use Process Explorer, select the System process and show loaded drivers.. put them in ascending order on the path and check all the paths.

    Is by any chance this server a Domain Controller and you are running some third party Security tool?

    Generally Token object are used by security tool to list user's permission and to keep track of Token objects.. in this case there is a memory leak for sure.. the problem is that the TOKEn object is a system object and every driver or service could allocate it.. so please, do a revision of all the software running on this server and try to identify security related software other than trying to find the driver using the TOKE tag..

    and post your results..

    HTH
    -mario


    • Edited by mariora_ Thursday, May 7, 2020 4:58 PM added bitmap
    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Thursday, May 7, 2020 4:56 PM
  • HI, I would start uninstalling one by one these services.. and see what happen..

    CagService.exe    0.04    96,544 K    114,324 K    1088    CentraStage Service    CentraStage
    AEMAgent.exe    0.04    48,740 K    73,444 K    2668    AEMAgent    
    aria2c.exe    0.01    2,028 K    6,528 K    2756        
    cb.exe    2.05    39,276 K    48,396 K    1192    Cb Response Sensor    Carbon Black, Inc.
    scsm.exe    0.21    518,540 K    530,388 K    1608    LogRhythm System Monitor Service    LogRhythm, Inc.
    nessus-service.exe        1,048 K    3,036 K    2024        Tenable, Inc.
    nessusd.exe    0.03    43,880 K    48,148 K    796        Tenable, Inc.
    winvnc.exe    < 0.01    2,208 K    5,236 K    904    VNC server    UltraVNC
    winvnc.exe        2,520 K    6,260 K    4944    VNC server    UltraVNC


    As you can see, carbon black has also some drivers loaded..
    cbk7.sys    Core filter driver component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbk7.sys
    cbstream.sys    Network monitor component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbstream.sys

    And also LogRythm
    LRAgentMF.sys    LogRhythm System Monitor Mini Filter Driver    
    LogRhythm, Inc.    C:\Windows\system32\DRIVERS\LRAgentMF.sys


    Also, the Brother Serial driver is still necessary to be in memory now that the machine is virtualized?
    serial.sys    Brotehr Serial I/F Driver (WDM)    Brother Industries Ltd.    C:\Windows\system32\DRIVERS\serial.sys

    HTH
    -mario

    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Sunday, May 10, 2020 8:39 AM
  • Mmst is something related to the memory manager, and may be absolutely normal given that you r server is a mail server and for sure will handle many many messages..

    Monitor it for some days but probably the leak won't happen anymore.. you can also work with LogRythm to see if they know their driver has a leak and if they can provide an updated driver to solve the problem.

    Good job..

    Thanks!
    -mario

    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Friday, May 15, 2020 1:09 PM

All replies

  • Are you using by any chance Sysmon 10.4 or 10.41?

    There was a huge memory leak in those, fixed with the 10.42.

    Otherwise, TOKE is generally used by security programs like antivirus and antimalware.. if you installed one recently, try uninstalling it and see what happen.

    HTH
    -mario

    Tuesday, March 10, 2020 12:50 PM
  • Are you using by any chance Sysmon 10.4 or 10.41?

    There was a huge memory leak in those, fixed with the 10.42.

    Otherwise, TOKE is generally used by security programs like antivirus and antimalware.. if you installed one recently, try uninstalling it and see what happen.

    HTH
    -mario

    We havent install Sysmon or use this but we do have antivirus software on these box which was installed on 03 Mar 2020.

    If its the Antivirus software which is causing the isssue how can I prove it that its the antivirus software.



    Tuesday, March 10, 2020 2:36 PM
  • Removing it on a server which actually shows the problem, monitoring the ram as you have done so far..

    If the problem disappears its the antivirus..

    Also you can try to see if the drivers of the antivirus uses the TAG TOKE inside their binaries. Open a CMD where the third parties drivers are and search for the string

    findstr /m /l toke *.sys

    HTH
    -mario

    Tuesday, March 10, 2020 2:43 PM
  • Removing it on a server which actually shows the problem, monitoring the ram as you have done so far..

    If the problem disappears its the antivirus..

    Also you can try to see if the drivers of the antivirus uses the TAG TOKE inside their binaries. Open a CMD where the third parties drivers are and search for the string

    findstr /m /l toke *.sys

    HTH
    -mario

    C:\Windows\System32\drivers>findstr /m /l toke *.sys
    http.sys
    ksecpkg.sys
    sntp.sys
    SophosED.sys
    vmci.sys


    C:\Windows\System32\drivers\http.sys: d:\w7rtm\minio\http\sys\tokencache.c
    C:\Windows\System32\drivers\http.sys: d:\w7rtm\minio\http\sys\tokencache.c
    C:\Windows\System32\drivers\ksecpkg.sys: bad token header
    C:\Windows\System32\drivers\ksecpkg.sys: bad token id in the header
    C:\Windows\System32\drivers\ksecpkg.sys: token header too small
    C:\Windows\System32\drivers\ksecpkg.sys: bad EC in token header
    C:\Windows\System32\drivers\ksecpkg.sys: Failed to verify signature token: %#x
    C:\Windows\System32\drivers\mup.sys: Unable to parse UNC Hardening Configuration Entry: Unexpected token.%n%nUNC Path: %2%n%nUNC Hardening Configuration: %4%n%nExpected Token: %5%n%nFound Token: %7%n%nGuidance: The UNC Hardening configuration for the path contains invalid syntax and may be ignored.%n%nFor details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
    C:\Windows\System32\drivers\mup.sys: Unable to parse UNC Hardening Configuration Entry: Unable to parse integer.%n%nUNC Path: %2%n%nUNC Hardening Configuration: %4%n%nExpected Token: %5%n%nFound Token: %7%n%nGuidance: The UNC Hardening configuration for the path contains invalid syntax and may be ignored. The value found token was parsed as an integer, but was found to contain illegal digits.%n%nFor details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
    C:\Windows\System32\drivers\mup.sys: Unable to parse UNC Hardening Configuration Entry: Unable to parse string.%n%nUNC Path: %2%n%nUNC Hardening Configuration: %4%n%nExpected Token: %5%n%nFound Token: %7%n%nGuidance: The UNC Hardening configuration for the path contains invalid syntax and may be ignored. The value found token was parsed as an string, but was not terminated or exceeded the maximum allowable string length.%n%nFor details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
    C:\Windows\System32\drivers\netio.sys: tokenring
    C:\Windows\System32\drivers\sntp.sys: WorkerThread: Failed to retrieve user token in worker thread, user_token_handle
    C:\Windows\System32\drivers\sntp.sys: ConnectionTracking (HTTP): Packet missing user token. Flow handle:
    C:\Windows\System32\drivers\sntp.sys: Failed to create impersonation token
    C:\Windows\System32\drivers\sntp.sys: InvertedCall::ProcessHTTPInvertedCall: Failed to create impersonation token. Status:
    C:\Windows\System32\drivers\SophosED.sys: [%d] Process open token handle failed 0x%08X %llu:%llu [%llu:%llu:%llu:%llu]
    C:\Windows\System32\drivers\SophosED.sys: [%d] Query process token SID failed 0x%08X %llu:%llu [%llu:%llu:%llu:%llu]
    C:\Windows\System32\drivers\SophosED.sys: Failed to query token user: 0x%08x
    C:\Windows\System32\drivers\SophosED_6fc4ba4f-1e26-4be1-a2d8-122d6ba8f4ad: [%d] Process open token handle failed 0x%08X %llu:%llu [%llu:%llu:%llu:%llu]
    C:\Windows\System32\drivers\SophosED_6fc4ba4f-1e26-4be1-a2d8-122d6ba8f4ad: [%d] Query process token SID failed 0x%08X %llu:%llu [%llu:%llu:%llu:%llu]
    C:\Windows\System32\drivers\SophosED_6fc4ba4f-1e26-4be1-a2d8-122d6ba8f4ad: Failed to query token user: 0x%08x
    C:\Windows\System32\drivers\vmci.sys: VMCI: tokenUser is NULL
    C:\Windows\System32\drivers\vmci.sys: VMCI: tokenUser contains invalid SID


    • Edited by lalaJee Wednesday, March 11, 2020 9:10 AM
    Wednesday, March 11, 2020 8:54 AM
  • SophosED seems a good candidate..

    You can use autoruns to disable the driver if you don't want to uninstall the whole product..

    Then reboot and monitor the server.. if the problem no longer shows up that's the cause.

    HTH
    -mario

    Wednesday, March 11, 2020 10:12 AM
  • I have removed the Sophos from this machine but the memory is still leak. It has slow down the high memory but server is still crashing after 10 days
    Monday, May 4, 2020 1:24 PM
  • But is it the same problem? I mean, the memory is leaked in side the kernel or is a process or something else?

    Post a rammap taken at a distance of a day one from another or more days even better..

    If it is the metafile that is growing is it a known problem of 2008.. if it is something else we have to investigate..

    https://docs.microsoft.com/en-us/archive/blogs/technet/itasupport/windows-2008-ridatemi-la-mia-memoria-storia-di-rammap-e-dyncache

    HTH
    -mario

    Monday, May 4, 2020 7:49 PM
  • Server was reboot about 14 hours ago and its alredy on 69%

    Ramamp show this

    Wednesday, May 6, 2020 9:15 AM
  • Mapped file is high but can be released.. is the Paged Pool which is strangely high.

    Are you sure you have disabled the SophosED.sys driver? Use Autoruns and uncheck it then reboot the system (when you can obviously) so it won't be loaded in memory next time..

    Then go through all the Empty menu in RamMap..

    In may case it released a lot of memory..

    I went from 43 to 46 GB of free memory.. and my paged pool is really low.. so it must be a driver..

    You should schedule a poolmon task every 5-10 minutes to grab it..

    poolmon -n c:\temp\pool.txt -e -u -p -p

    This will continuously add to the file pool.txt the non paged pool ordered by usage, and then you will be able to quickly navigate the file to see what's eating your memory.

    HTH
    -mario

    Wednesday, May 6, 2020 3:00 PM
  • I have empty all of them and it has release around 50% of the memory. i didn't realise that RAMMAP has built in funcation to release memory.


    I thing I have notic is that Trusted Installer is keep running. I have run disk cleaner to clear all system files and Windows Update Catalog.

    Install all missing updates

    Reset Windows Update Component

    Reboot the server but still I see the trusted Installer is running in backgroup.

    I have setup task schedule to run poolmon every 5 minutes

    You can see that driver is not load

    Do you think it might not be memory leak it might just be that server needs more memory.

    When looking at the mapped files i saw that windows update catalog database was aroung 1.7GB which was load into memory



    • Edited by lalaJee Thursday, May 7, 2020 8:17 AM
    Thursday, May 7, 2020 7:58 AM
  • Please find the poolmon log.

    https://drive.google.com/drive/folders/1zDnb-zOsN2beyXkNKNgBFn5LeJuAaGiX?usp=sharing

    Its taken every 5 minutes

    Thursday, May 7, 2020 9:10 AM
  • Doing following on server "Then go through all the Empty menu in RamMap.." Does it cause any issue with server or vertial memory. I done it on database or file server will it cause it to loose data.

    Thursday, May 7, 2020 2:04 PM
  • As you can see below, there is some driver using TOKEn object, which is leaking..

    it start at 1.9GB and in 1:15h it arrive at 2.01GB

    So, it is leaking 60MB per hour.

    So, we have to find out what drivers is using the TOKE tag. so, go in \windows\system32\drivers and run

    findstr /m /l toke *.sys

    Than, using Autoruns as you did above, give a look at your installed driver if there is any other driver loading from a different path and go to that path to check for those drivers too. Or use Process Explorer, select the System process and show loaded drivers.. put them in ascending order on the path and check all the paths.

    Is by any chance this server a Domain Controller and you are running some third party Security tool?

    Generally Token object are used by security tool to list user's permission and to keep track of Token objects.. in this case there is a memory leak for sure.. the problem is that the TOKEn object is a system object and every driver or service could allocate it.. so please, do a revision of all the software running on this server and try to identify security related software other than trying to find the driver using the TOKE tag..

    and post your results..

    HTH
    -mario


    • Edited by mariora_ Thursday, May 7, 2020 4:58 PM added bitmap
    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Thursday, May 7, 2020 4:56 PM
  • When I run findstr /m /l toke *.sys

    I only see following drivers loading.

    Autorun is showing following drivers loaded.




    The Process Exployer show following driver load under system none of them which I can see which might be leaking the memory.

    Process    CPU    Private Bytes    Working Set    PID    Description    Company Name
    System Idle Process    94.51    0 K    24 K    0        
    System    0.18    128 K    308 K    4        
     Interrupts    0.27    0 K    0 K    n/a    Hardware Interrupts and DPCs    
     smss.exe        488 K    1,300 K    268    Windows Session Manager    Microsoft Corporation
    csrss.exe    < 0.01    2,220 K    5,264 K    380    Client Server Runtime Process    Microsoft Corporation
     conhost.exe    < 0.01    1,264 K    3,532 K    1152    Console Window Host    Microsoft Corporation
     conhost.exe        1,276 K    4,268 K    1884    Console Window Host    Microsoft Corporation
     conhost.exe        1,324 K    4,564 K    1752    Console Window Host    Microsoft Corporation
    wininit.exe        1,512 K    4,812 K    432    Windows Start-Up Application    Microsoft Corporation
     services.exe        6,648 K    12,600 K    536    Services and Controller app    Microsoft Corporation
      svchost.exe    0.06    5,388 K    13,268 K    656    Host Process for Windows Services    Microsoft Corporation
       WmiPrvSE.exe    0.15    18,244 K    27,820 K    2152    WMI Provider Host    Microsoft Corporation
       MonitoringHost.exe    < 0.01    119,892 K    48,960 K    2196    System Center Management Service Host Process    Microsoft Corp.
       MonitoringHost.exe        126,188 K    44,416 K    2940    System Center Management Service Host Process    Microsoft Corp.
       WmiPrvSE.exe    < 0.01    16,632 K    23,616 K    2660    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        4,756 K    10,712 K    4824    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        2,820 K    7,364 K    5116    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        4,452 K    11,792 K    6036    WMI Provider Host    Microsoft Corporation
      svchost.exe    0.01    6,060 K    12,776 K    732    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.01    16,704 K    20,580 K    824    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.09    311,372 K    201,460 K    872    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.02    7,880 K    15,652 K    920    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        4,420 K    12,088 K    964    Host Process for Windows Services    Microsoft Corporation
       dwm.exe        1,676 K    5,324 K    6460    Desktop Window Manager    Microsoft Corporation
      svchost.exe    < 0.01    23,444 K    29,728 K    136    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        7,728 K    13,012 K    804    Host Process for Windows Services    Microsoft Corporation
      CagService.exe    0.04    96,544 K    114,324 K    1088    CentraStage Service    CentraStage
       AEMAgent.exe    0.04    48,740 K    73,444 K    2668    AEMAgent    
        aria2c.exe    0.01    2,028 K    6,528 K    2756        
      cb.exe    2.05    39,276 K    48,396 K    1192    Cb Response Sensor    Carbon Black, Inc.
      svchost.exe        4,092 K    7,924 K    1224    Host Process for Windows Services    Microsoft Corporation
      HealthService.exe    0.01    28,688 K    9,272 K    1256    Microsoft Monitoring Agent Service    Microsoft Corp.
      nsd.exe        22,812 K    9,692 K    1364    wnsd    IBM
      nservice.exe    < 0.01    34,688 K    11,552 K    1452    IBM Notes/Domino    IBM Corp
       scontroller.exe    0.02    63,464 K    57,272 K    1588    IBM Notes/Domino    IBM Corp
        nserver.exe    0.08    144,432 K    1,447,996 K    1840    IBM Notes/Domino    IBM Corp
         nlogasio.exe    < 0.01    39,788 K    17,732 K    1912    IBM Notes/Domino    IBM Corp
         nevent.exe    0.04    79,084 K    689,184 K    1076    IBM Notes/Domino    IBM Corp
         nrouter.exe    0.02    67,992 K    662,540 K    1412    IBM Notes/Domino    IBM Corp
          nmtc.exe    < 0.01    43,436 K    341,372 K    1708    IBM Notes/Domino    IBM Corp
         nreplica.exe    < 0.01    40,824 K    246,012 K    2724    IBM Notes/Domino    IBM Corp
         nupdate.exe    < 0.01    47,772 K    768,448 K    4720    IBM Notes/Domino    IBM Corp
         namgr.exe    < 0.01    43,892 K    220,160 K    3668    IBM Notes/Domino    IBM Corp
          namgr.exe    < 0.01    45,300 K    85,024 K    3612    IBM Notes/Domino    IBM Corp
         nadminp.exe    < 0.01    52,364 K    1,535,804 K    1004    IBM Notes/Domino    IBM Corp
         nsched.exe    < 0.01    42,856 K    1,297,996 K    3848    IBM Notes/Domino    IBM Corp
         ncalconn.exe    < 0.01    38,768 K    29,392 K    2172    IBM Notes/Domino    IBM Corp
         nrnrmgr.exe    < 0.01    42,920 K    1,299,732 K    4612    IBM Notes/Domino    IBM Corp
         nhttp.exe    0.04    238,776 K    315,040 K    3536    IBM Notes/Domino    IBM Corp
          httpd.exe        4,976 K    9,884 K    5272    Apache HTTP Server    International Business Machines
           httpd.exe    0.05    17,876 K    19,184 K    5316    Apache HTTP Server    International Business Machines
         nimap.exe    < 0.01    51,236 K    554,180 K    2248        
         nldap.exe    < 0.01    49,376 K    431,000 K    3808    IBM Notes/Domino    IBM Corp
         npop3.exe    < 0.01    43,788 K    130,220 K    3796    IBM Notes/Domino    IBM Corp
         nintrcpt.exe    < 0.01    38,772 K    32,840 K    888    IBM Notes/Domino    IBM Corp
         ncollect.exe    0.01    67,864 K    127,660 K    1120    IBM Notes/Domino    IBM Corp
         nsmtp.exe    < 0.01    49,988 K    259,688 K    3280    IBM Notes/Domino    IBM Corp
         ndaosmgr.exe    < 0.01    43,432 K    245,540 K    3632    IBM Notes/Domino    IBM Corp
         nprocmon.exe    < 0.01    38,764 K    28,788 K    4536    IBM Notes/Domino    IBM Corp
         ncldbdir.exe    < 0.01    41,444 K    134,656 K    5864    IBM Notes/Domino    IBM Corp
         nclrepl.exe    0.01    48,424 K    391,808 K    5956    IBM Notes/Domino    IBM Corp
         nrunjava.exe    < 0.01    166,548 K    205,892 K    5892    IBM Notes/Domino    IBM Corp
      SMSvcHost.exe        27,628 K    19,916 K    1532    SMSvcHost.exe    Microsoft Corporation
      scsm.exe    0.21    518,540 K    530,388 K    1608    LogRhythm System Monitor Service    LogRhythm, Inc.
      snmp.exe    < 0.01    4,420 K    8,524 K    1952    SNMP Service    Microsoft Corporation
      svchost.exe        2,892 K    7,248 K    1988    Host Process for Windows Services    Microsoft Corporation
      nessus-service.exe        1,048 K    3,036 K    2024        Tenable, Inc.
       nessusd.exe    0.03    43,880 K    48,148 K    796        Tenable, Inc.
      winvnc.exe    < 0.01    2,208 K    5,236 K    904    VNC server    UltraVNC
       winvnc.exe        2,520 K    6,260 K    4944    VNC server    UltraVNC
      VGAuthService.exe        4,880 K    10,944 K    1420    VMware Guest Authentication Service    VMware, Inc.
      vmtoolsd.exe    0.08    12,472 K    21,524 K    1464    VMware Tools Core Service    VMware, Inc.
      lnsnmp.exe        1,424 K    3,948 K    1300    IBM Notes/Domino    IBM Corp
      UI0Detect.exe        2,476 K    7,600 K    3764    Interactive services detection    Microsoft Corporation
       UI0Detect.exe    0.01    2,164 K    7,696 K    4340    Interactive services detection    Microsoft Corporation
      svchost.exe    0.02    3,676 K    9,960 K    1792    Host Process for Windows Services    Microsoft Corporation
       rdpclip.exe        1,768 K    6,208 K    7040    RDP Clip Monitor    Microsoft Corporation
      svchost.exe    < 0.01    197,288 K    70,476 K    2860    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        1,896 K    6,112 K    4068    Host Process for Windows Services    Microsoft Corporation
      msdtc.exe        3,068 K    8,000 K    4360    Microsoft Distributed Transaction Coordinator Service    Microsoft Corporation
      CcmExec.exe        23,520 K    59,924 K    1640    Host Process for Microsoft Configuration Manager    Microsoft Corporation
       SCNotification.exe        38,956 K    36,112 K    6868    SCNotification    Microsoft Corporation
      CmRcService.exe    0.01    5,452 K    9,876 K    4088    Configuration Manager Remote Control Service    Microsoft Corporation
      dllhost.exe    < 0.01    4,172 K    11,564 K    3684    COM Surrogate    Microsoft Corporation
      taskhost.exe        7,340 K    16,432 K    7072    Host Process for Windows Tasks    Microsoft Corporation
      policyHost.exe        9,724 K    20,268 K    3128    Microsoft(R) Policy PlatformService Host    Microsoft Corporation
      sppsvc.exe        7,144 K    14,436 K    6944    Microsoft Software Protection Platform Service    Microsoft Corporation
      TrustedInstaller.exe        10,620 K    15,896 K    6324    Windows Modules Installer    Microsoft Corporation
     lsass.exe    0.03    10,428 K    19,808 K    544    Local Security Authority Process    Microsoft Corporation
     lsm.exe    0.01    3,796 K    7,556 K    552    Local Session Manager Service    Microsoft Corporation
    csrss.exe    < 0.01    9,004 K    7,804 K    2976    Client Server Runtime Process    Microsoft Corporation
    winlogon.exe        1,460 K    4,384 K    4996    Windows Logon Application    Microsoft Corporation
     LogonUI.exe        9,272 K    16,852 K    4792    Windows Logon User Interface Host    Microsoft Corporation
    csrss.exe    0.02    2,000 K    5,696 K    2344    Client Server Runtime Process    Microsoft Corporation
    winlogon.exe        1,884 K    5,612 K    2308    Windows Logon Application    Microsoft Corporation
    explorer.exe    0.31    41,480 K    53,580 K    3824    Windows Explorer    Microsoft Corporation
     Autoruns.exe        15,256 K    25,540 K    4808    Autostart program viewer    Sysinternals - www.sysinternals.com
     procexp64.exe    1.46    32,188 K    51,680 K    5280    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com
    Gui.exe    < 0.01    30,588 K    41,396 K    4380    Agent Browser    CentraStage

    Process: System Pid: 4

    Name    Description    Company Name    Path
    ACPI.sys    ACPI Driver for NT    Microsoft Corporation    C:\Windows\system32\drivers\ACPI.sys
    afd.sys    Ancillary Function Driver for WinSock    Microsoft Corporation    C:\Windows\system32\drivers\afd.sys
    AgileVpn.sys    RAS Agile Vpn Miniport Call Manager    Microsoft Corporation    C:\Windows\system32\DRIVERS\AgileVpn.sys
    amdxata.sys    Storage Filter Driver    Advanced Micro Devices    C:\Windows\system32\drivers\amdxata.sys
    asyncmac.sys    MS Remote Access serial network driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\asyncmac.sys
    atapi.sys    ATAPI IDE Miniport Driver    Microsoft Corporation    C:\Windows\system32\drivers\atapi.sys
    ataport.SYS    ATAPI Driver Extension    Microsoft Corporation    C:\Windows\system32\drivers\ataport.SYS
    BATTC.SYS    Battery Class Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\BATTC.SYS
    blbdrive.sys    BLB Drive Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\blbdrive.sys
    bowser.sys    NT Lan Manager Datagram Receiver Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\bowser.sys
    cbk7.sys    Core filter driver component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbk7.sys
    cbstream.sys    Network monitor component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbstream.sys
    cdd.dll    Canonical Display Driver    Microsoft Corporation    C:\Windows\System32\cdd.dll
    cdrom.sys    SCSI CD-ROM Driver    Microsoft Corporation    C:\Windows\system32\drivers\cdrom.sys
    CI.dll    Code Integrity Module    Microsoft Corporation    C:\Windows\system32\CI.dll
    CLASSPNP.SYS    SCSI Class System Dll    Microsoft Corporation    C:\Windows\system32\drivers\CLASSPNP.SYS
    CLFS.SYS    Common Log File System Driver    Microsoft Corporation    C:\Windows\system32\CLFS.SYS
    CmBatt.sys    Control Method Battery Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\CmBatt.sys
    cng.sys    Kernel Cryptography, Next Generation    Microsoft Corporation    C:\Windows\System32\Drivers\cng.sys
    compbatt.sys    Composite Battery Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\compbatt.sys
    CompositeBus.sys    Multi-Transport Composite Bus Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\CompositeBus.sys
    crashdmp.sys    Crash Dump Driver    Microsoft Corporation    C:\Windows\System32\Drivers\crashdmp.sys
    dfsc.sys    DFS Namespace Client Driver    Microsoft Corporation    C:\Windows\System32\Drivers\dfsc.sys
    discache.sys    System Indexer/Cache Driver    Microsoft Corporation    C:\Windows\System32\drivers\discache.sys
    disk.sys    PnP Disk Driver    Microsoft Corporation    C:\Windows\system32\drivers\disk.sys
    dump_diskdump.sys            C:\Windows\System32\Drivers\dump_diskdump.sys
    dump_LSI_SAS.sys            C:\Windows\System32\Drivers\dump_LSI_SAS.sys
    Dxapi.sys    DirectX API Driver    Microsoft Corporation    C:\Windows\System32\drivers\Dxapi.sys
    dxgkrnl.sys    DirectX Graphics Kernel    Microsoft Corporation    C:\Windows\System32\drivers\dxgkrnl.sys
    dxgmms1.sys    DirectX Graphics MMS    Microsoft Corporation    C:\Windows\System32\drivers\dxgmms1.sys
    fdc.sys    Floppy Disk Controller Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\fdc.sys
    fileinfo.sys    FileInfo Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\fileinfo.sys
    flpydisk.sys    Floppy Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\flpydisk.sys
    fltmgr.sys    Microsoft Filesystem Filter Manager    Microsoft Corporation    C:\Windows\system32\drivers\fltmgr.sys
    Fs_Rec.sys    File System Recognizer Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Fs_Rec.sys
    fwpkclnt.sys    FWP/IPsec Kernel-Mode API    Microsoft Corporation    C:\Windows\System32\drivers\fwpkclnt.sys
    hal.dll    Hardware Abstraction Layer DLL    Microsoft Corporation    C:\Windows\system32\hal.dll
    HTTP.sys    HTTP Protocol Stack    Microsoft Corporation    C:\Windows\system32\drivers\HTTP.sys
    hwpolicy.sys    Hardware Policy Driver    Microsoft Corporation    C:\Windows\System32\drivers\hwpolicy.sys
    i8042prt.sys    i8042 Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\i8042prt.sys
    intelide.sys    Intel PCI IDE Driver    Microsoft Corporation    C:\Windows\system32\drivers\intelide.sys
    intelppm.sys    Processor Device Driver    Microsoft Corporation    C:\Windows\system32\drivers\intelppm.sys
    kbdclass.sys    Keyboard Class Driver    Microsoft Corporation    C:\Windows\system32\drivers\kbdclass.sys
    kdcom.dll    Serial Kernel Debugger    Microsoft Corporation    C:\Windows\system32\kdcom.dll
    ks.sys    Kernel CSA Library    Microsoft Corporation    C:\Windows\system32\drivers\ks.sys
    ksecdd.sys    Kernel Security Support Provider Interface    Microsoft Corporation    C:\Windows\System32\Drivers\ksecdd.sys
    ksecpkg.sys    Kernel Security Support Provider Interface Packages    Microsoft Corporation    C:\Windows\System32\Drivers\ksecpkg.sys
    lltdio.sys    Link-Layer Topology Mapper I/O Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\lltdio.sys
    LRAgentMF.sys    LogRhythm System Monitor Mini Filter Driver    LogRhythm, Inc.    C:\Windows\system32\DRIVERS\LRAgentMF.sys
    lsi_sas.sys    LSI Fusion-MPT SAS Driver (StorPort)    LSI Corporation    C:\Windows\system32\DRIVERS\lsi_sas.sys
    luafv.sys    LUA File Virtualization Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\luafv.sys
    mcupdate_GenuineIntel.dll    Intel Microcode Update Library    Microsoft Corporation    C:\Windows\system32\mcupdate_GenuineIntel.dll
    monitor.sys    Monitor Driver    Microsoft Corporation    C:\Windows\system32\drivers\monitor.sys
    mouclass.sys    Mouse Class Driver    Microsoft Corporation    C:\Windows\system32\drivers\mouclass.sys
    mountmgr.sys    Mount Point Manager    Microsoft Corporation    C:\Windows\System32\drivers\mountmgr.sys
    mpsdrv.sys    Microsoft Protection Service Driver    Microsoft Corporation    C:\Windows\System32\drivers\mpsdrv.sys
    mrxsmb.sys    Windows NT SMB Minirdr    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb.sys
    mrxsmb10.sys    Longhorn SMB Downlevel SubRdr    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb10.sys
    mrxsmb20.sys    Longhorn SMB 2.0 Redirector    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb20.sys
    Msfs.SYS    Mailslot driver    Microsoft Corporation    C:\Windows\System32\Drivers\Msfs.SYS
    msisadrv.sys    ISA Driver    Microsoft Corporation    C:\Windows\system32\drivers\msisadrv.sys
    msiscsi.sys    Microsoft iSCSI Initiator Driver    Microsoft Corporation    C:\Windows\system32\drivers\msiscsi.sys
    msrpc.sys    Kernel Remote Procedure Call Provider    Microsoft Corporation    C:\Windows\system32\DRIVERS\msrpc.sys
    mssmbios.sys    System Management BIOS Driver    Microsoft Corporation    C:\Windows\system32\drivers\mssmbios.sys
    mup.sys    Multiple UNC Provider Driver    Microsoft Corporation    C:\Windows\System32\Drivers\mup.sys
    NDIS.SYS    NDIS 6.20 driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\NDIS.SYS
    ndistapi.sys    NDIS 3.0 connection wrapper driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\ndistapi.sys
    ndiswan.sys    MS PPP Framing Driver (Strong Encryption)    Microsoft Corporation    C:\Windows\system32\DRIVERS\ndiswan.sys
    NDProxy.SYS    NDIS Proxy    Microsoft Corporation    C:\Windows\System32\Drivers\NDProxy.SYS
    netbios.sys    NetBIOS interface driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\netbios.sys
    netbt.sys    MBT Transport driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\netbt.sys
    NETIO.SYS    Network I/O Subsystem    Microsoft Corporation    C:\Windows\system32\DRIVERS\NETIO.SYS
    Npfs.SYS    NPFS Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Npfs.SYS
    nsiproxy.sys    NSI Proxy    Microsoft Corporation    C:\Windows\system32\drivers\nsiproxy.sys
    Ntfs.sys    NT File System Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Ntfs.sys
    ntoskrnl.exe    NT Kernel & System    Microsoft Corporation    C:\Windows\system32\ntoskrnl.exe
    Null.SYS    NULL Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Null.SYS
    pacer.sys    QoS Packet Scheduler    Microsoft Corporation    C:\Windows\system32\DRIVERS\pacer.sys
    parport.sys    Parallel Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\parport.sys
    partmgr.sys    Partition Management Driver    Microsoft Corporation    C:\Windows\System32\drivers\partmgr.sys
    pci.sys    NT Plug and Play PCI Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\pci.sys
    PCIIDEX.SYS    PCI IDE Bus Driver Extension    Microsoft Corporation    C:\Windows\system32\drivers\PCIIDEX.SYS
    pcw.sys    Performance Counters for Windows Driver    Microsoft Corporation    C:\Windows\System32\drivers\pcw.sys
    peauth.sys    Protected Environment Authentication and Authorization Export Driver    Microsoft Corporation    C:\Windows\system32\drivers\peauth.sys
    pnpmem.sys    Plug and Play Memory Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\pnpmem.sys
    prepdrv.sys    Software Metering Process Event Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\prepdrv.sys
    PROCEXP152.SYS            C:\Windows\system32\Drivers\PROCEXP152.SYS
    PROCMON24.SYS            C:\Windows\system32\Drivers\PROCMON24.SYS
    PSHED.dll    Platform Specific Hardware Error Driver    Microsoft Corporation    C:\Windows\system32\PSHED.dll
    rasl2tp.sys    RAS L2TP mini-port/call-manager driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rasl2tp.sys
    raspppoe.sys    RAS PPPoE mini-port/call-manager driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\raspppoe.sys
    raspptp.sys    Peer-to-Peer Tunneling Protocol    Microsoft Corporation    C:\Windows\system32\DRIVERS\raspptp.sys
    rassstp.sys    RAS SSTP Miniport Call Manager    Microsoft Corporation    C:\Windows\system32\DRIVERS\rassstp.sys
    rdbss.sys    Redirected Drive Buffering SubSystem Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rdbss.sys
    rdpbus.sys    Microsoft RDP Bus Device driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rdpbus.sys
    RDPCDD.sys    RDP Miniport    Microsoft Corporation    C:\Windows\System32\DRIVERS\RDPCDD.sys
    RDPDD.dll    RDP Display Driver    Microsoft Corporation    C:\Windows\System32\RDPDD.dll
    rdpdr.sys    Microsoft RDP Device redirector    Microsoft Corporation    C:\Windows\System32\drivers\rdpdr.sys
    rdpencdd.sys    RDP Encoder Miniport    Microsoft Corporation    C:\Windows\system32\drivers\rdpencdd.sys
    rdprefmp.sys    RDP Reflector Driver Miniport    Microsoft Corporation    C:\Windows\system32\drivers\rdprefmp.sys
    RDPWD.SYS    RDP Terminal Stack Driver    Microsoft Corporation    C:\Windows\System32\Drivers\RDPWD.SYS
    rspndr.sys    Link-Layer Topology Responder Driver for NDIS 6    Microsoft Corporation    C:\Windows\system32\DRIVERS\rspndr.sys
    serenum.sys    Serial Port Enumerator    Microsoft Corporation    C:\Windows\system32\DRIVERS\serenum.sys
    serial.sys    Brotehr Serial I/F Driver (WDM)    Brother Industries Ltd.    C:\Windows\system32\DRIVERS\serial.sys
    spldr.sys    loader for security processor    Microsoft Corporation    C:\Windows\System32\Drivers\spldr.sys
    spsys.sys    security processor    Microsoft Corporation    C:\Windows\system32\drivers\spsys.sys
    srv.sys    Server driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srv.sys
    srv2.sys    Smb 2.0 Server driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srv2.sys
    srvnet.sys    Server Network driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srvnet.sys
    storport.sys    Microsoft Storage Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\storport.sys
    swenum.sys    Plug and Play Software Device Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\swenum.sys
    tcpip.sys    TCP/IP Driver    Microsoft Corporation    C:\Windows\System32\drivers\tcpip.sys
    tcpipreg.sys    TCP/IP Registry Compatibility Driver    Microsoft Corporation    C:\Windows\System32\drivers\tcpipreg.sys
    TDI.SYS    TDI Wrapper    Microsoft Corporation    C:\Windows\system32\DRIVERS\TDI.SYS
    tdtcp.sys    TCP Transport Driver    Microsoft Corporation    C:\Windows\system32\drivers\tdtcp.sys
    tdx.sys    TDI Translation Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\tdx.sys
    termdd.sys    Remote Desktop Server Driver    Microsoft Corporation    C:\Windows\system32\drivers\termdd.sys
    TSDDD.dll    Framebuffer Display Driver    Microsoft Corporation    C:\Windows\System32\TSDDD.dll
    tssecsrv.sys    TS Security Filter Driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\tssecsrv.sys
    tunnel.sys    Microsoft Tunnel Interface Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\tunnel.sys
    umbus.sys    User-Mode Bus Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\umbus.sys
    vdrvroot.sys    Virtual Drive Root Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\vdrvroot.sys
    vga.sys    VGA/Super VGA Video Driver    Microsoft Corporation    C:\Windows\System32\drivers\vga.sys
    VIDEOPRT.SYS    Video Port Driver    Microsoft Corporation    C:\Windows\System32\drivers\VIDEOPRT.SYS
    vm3dmp.sys    VMware SVGA 3D Miniport    VMware, Inc.    C:\Windows\system32\DRIVERS\vm3dmp.sys
    vm3dmp_loader.sys    VMware SVGA 3D Miniport Loader    VMware, Inc.    C:\Windows\system32\DRIVERS\vm3dmp_loader.sys
    vmbus.sys    Virtual Machine Bus    Microsoft Corporation    C:\Windows\system32\drivers\vmbus.sys
    vmci.sys    VMware PCI VMCI Bus Device    VMware, Inc.    C:\Windows\system32\DRIVERS\vmci.sys
    vmmemctl.sys    VMware server memory controller    VMware, Inc.    C:\Windows\system32\DRIVERS\vmmemctl.sys
    vmmouse.sys    VMware Pointing PS/2 Device Driver    VMware, Inc.    C:\Windows\system32\DRIVERS\vmmouse.sys
    vmstorfl.sys    Virtual Storage Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\vmstorfl.sys
    vmxnet3.sys    VMware PCIe Ethernet Adapter NDIS 6.20 (64-bit)    VMware, Inc.    C:\Windows\system32\DRIVERS\vmxnet3.sys
    volmgr.sys    Volume Manager Driver    Microsoft Corporation    C:\Windows\system32\drivers\volmgr.sys
    volmgrx.sys    Volume Manager Extension Driver    Microsoft Corporation    C:\Windows\System32\drivers\volmgrx.sys
    volsnap.sys    Volume Shadow Copy Driver    Microsoft Corporation    C:\Windows\system32\drivers\volsnap.sys
    vsock.sys    VMware vSockets Service    VMware, Inc.    C:\Windows\system32\DRIVERS\vsock.sys
    wanarp.sys    MS Remote Access and Routing ARP Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\wanarp.sys
    watchdog.sys    Watchdog Driver    Microsoft Corporation    C:\Windows\System32\drivers\watchdog.sys
    Wdf01000.sys    Kernel Mode Driver Framework Runtime    Microsoft Corporation    C:\Windows\system32\drivers\Wdf01000.sys
    WDFLDR.SYS    Kernel Mode Driver Framework Loader    Microsoft Corporation    C:\Windows\system32\drivers\WDFLDR.SYS
    wfplwf.sys    WFP NDIS 6.20 Lightweight Filter Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\wfplwf.sys
    win32k.sys    Multi-User Win32 Driver    Microsoft Corporation    C:\Windows\System32\win32k.sys
    winhv.sys    Windows Hypervisor Interface Driver    Microsoft Corporation    C:\Windows\system32\drivers\winhv.sys
    WMILIB.SYS    WMILIB WMI support library Dll    Microsoft Corporation    C:\Windows\system32\drivers\WMILIB.SYS
    ws2ifsl.sys    Winsock2 IFS Layer    Microsoft Corporation    C:\Windows\system32\drivers\ws2ifsl.sys




    Friday, May 8, 2020 3:56 PM
  • When I run findstr /m /l toke *.sys

    I only see following drivers loading.

    Autorun is showing following drivers loaded.


    The Process Exployer show following driver load under system none of them which I can see which might be leaking the memory.

    https://drive.google.com/drive/folders/1zDnb-zOsN2beyXkNKNgBFn5LeJuAaGiX?usp=sharing

    The drivers which are load by toke are just stadnard drivers. 2 of them are microsoft and one is from vmware, I check the vmware version and i dont see any issue with the version of the driver we have.





    • Edited by lalaJee Friday, May 8, 2020 4:01 PM
    Friday, May 8, 2020 3:56 PM
  • The Process Exployer show following driver load under system none of them which I can see which might be leaking the memory.Process    CPU    Private Bytes    Working Set    PID    Description    Company Name
    System Idle Process    94.51    0 K    24 K    0        
    System    0.18    128 K    308 K    4        
     Interrupts    0.27    0 K    0 K    n/a    Hardware Interrupts and DPCs    
     smss.exe        488 K    1,300 K    268    Windows Session Manager    Microsoft Corporation
    csrss.exe    < 0.01    2,220 K    5,264 K    380    Client Server Runtime Process    Microsoft Corporation
     conhost.exe    < 0.01    1,264 K    3,532 K    1152    Console Window Host    Microsoft Corporation
     conhost.exe        1,276 K    4,268 K    1884    Console Window Host    Microsoft Corporation
     conhost.exe        1,324 K    4,564 K    1752    Console Window Host    Microsoft Corporation
    wininit.exe        1,512 K    4,812 K    432    Windows Start-Up Application    Microsoft Corporation
     services.exe        6,648 K    12,600 K    536    Services and Controller app    Microsoft Corporation
      svchost.exe    0.06    5,388 K    13,268 K    656    Host Process for Windows Services    Microsoft Corporation
       WmiPrvSE.exe    0.15    18,244 K    27,820 K    2152    WMI Provider Host    Microsoft Corporation
       MonitoringHost.exe    < 0.01    119,892 K    48,960 K    2196    System Center Management Service Host Process    Microsoft Corp.
       MonitoringHost.exe        126,188 K    44,416 K    2940    System Center Management Service Host Process    Microsoft Corp.
       WmiPrvSE.exe    < 0.01    16,632 K    23,616 K    2660    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        4,756 K    10,712 K    4824    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        2,820 K    7,364 K    5116    WMI Provider Host    Microsoft Corporation
       WmiPrvSE.exe        4,452 K    11,792 K    6036    WMI Provider Host    Microsoft Corporation
      svchost.exe    0.01    6,060 K    12,776 K    732    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.01    16,704 K    20,580 K    824    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.09    311,372 K    201,460 K    872    Host Process for Windows Services    Microsoft Corporation
      svchost.exe    0.02    7,880 K    15,652 K    920    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        4,420 K    12,088 K    964    Host Process for Windows Services    Microsoft Corporation
       dwm.exe        1,676 K    5,324 K    6460    Desktop Window Manager    Microsoft Corporation
      svchost.exe    < 0.01    23,444 K    29,728 K    136    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        7,728 K    13,012 K    804    Host Process for Windows Services    Microsoft Corporation
      CagService.exe    0.04    96,544 K    114,324 K    1088    CentraStage Service    CentraStage
       AEMAgent.exe    0.04    48,740 K    73,444 K    2668    AEMAgent    
        aria2c.exe    0.01    2,028 K    6,528 K    2756        
      cb.exe    2.05    39,276 K    48,396 K    1192    Cb Response Sensor    Carbon Black, Inc.
      svchost.exe        4,092 K    7,924 K    1224    Host Process for Windows Services    Microsoft Corporation
      HealthService.exe    0.01    28,688 K    9,272 K    1256    Microsoft Monitoring Agent Service    Microsoft Corp.
      nsd.exe        22,812 K    9,692 K    1364    wnsd    IBM
      nservice.exe    < 0.01    34,688 K    11,552 K    1452    IBM Notes/Domino    IBM Corp
       scontroller.exe    0.02    63,464 K    57,272 K    1588    IBM Notes/Domino    IBM Corp
        nserver.exe    0.08    144,432 K    1,447,996 K    1840    IBM Notes/Domino    IBM Corp
         nlogasio.exe    < 0.01    39,788 K    17,732 K    1912    IBM Notes/Domino    IBM Corp
         nevent.exe    0.04    79,084 K    689,184 K    1076    IBM Notes/Domino    IBM Corp
         nrouter.exe    0.02    67,992 K    662,540 K    1412    IBM Notes/Domino    IBM Corp
          nmtc.exe    < 0.01    43,436 K    341,372 K    1708    IBM Notes/Domino    IBM Corp
         nreplica.exe    < 0.01    40,824 K    246,012 K    2724    IBM Notes/Domino    IBM Corp
         nupdate.exe    < 0.01    47,772 K    768,448 K    4720    IBM Notes/Domino    IBM Corp
         namgr.exe    < 0.01    43,892 K    220,160 K    3668    IBM Notes/Domino    IBM Corp
          namgr.exe    < 0.01    45,300 K    85,024 K    3612    IBM Notes/Domino    IBM Corp
         nadminp.exe    < 0.01    52,364 K    1,535,804 K    1004    IBM Notes/Domino    IBM Corp
         nsched.exe    < 0.01    42,856 K    1,297,996 K    3848    IBM Notes/Domino    IBM Corp
         ncalconn.exe    < 0.01    38,768 K    29,392 K    2172    IBM Notes/Domino    IBM Corp
         nrnrmgr.exe    < 0.01    42,920 K    1,299,732 K    4612    IBM Notes/Domino    IBM Corp
         nhttp.exe    0.04    238,776 K    315,040 K    3536    IBM Notes/Domino    IBM Corp
          httpd.exe        4,976 K    9,884 K    5272    Apache HTTP Server    International Business Machines
           httpd.exe    0.05    17,876 K    19,184 K    5316    Apache HTTP Server    International Business Machines
         nimap.exe    < 0.01    51,236 K    554,180 K    2248        
         nldap.exe    < 0.01    49,376 K    431,000 K    3808    IBM Notes/Domino    IBM Corp
         npop3.exe    < 0.01    43,788 K    130,220 K    3796    IBM Notes/Domino    IBM Corp
         nintrcpt.exe    < 0.01    38,772 K    32,840 K    888    IBM Notes/Domino    IBM Corp
         ncollect.exe    0.01    67,864 K    127,660 K    1120    IBM Notes/Domino    IBM Corp
         nsmtp.exe    < 0.01    49,988 K    259,688 K    3280    IBM Notes/Domino    IBM Corp
         ndaosmgr.exe    < 0.01    43,432 K    245,540 K    3632    IBM Notes/Domino    IBM Corp
         nprocmon.exe    < 0.01    38,764 K    28,788 K    4536    IBM Notes/Domino    IBM Corp
         ncldbdir.exe    < 0.01    41,444 K    134,656 K    5864    IBM Notes/Domino    IBM Corp
         nclrepl.exe    0.01    48,424 K    391,808 K    5956    IBM Notes/Domino    IBM Corp
         nrunjava.exe    < 0.01    166,548 K    205,892 K    5892    IBM Notes/Domino    IBM Corp
      SMSvcHost.exe        27,628 K    19,916 K    1532    SMSvcHost.exe    Microsoft Corporation
      scsm.exe    0.21    518,540 K    530,388 K    1608    LogRhythm System Monitor Service    LogRhythm, Inc.
      snmp.exe    < 0.01    4,420 K    8,524 K    1952    SNMP Service    Microsoft Corporation
      svchost.exe        2,892 K    7,248 K    1988    Host Process for Windows Services    Microsoft Corporation
      nessus-service.exe        1,048 K    3,036 K    2024        Tenable, Inc.
       nessusd.exe    0.03    43,880 K    48,148 K    796        Tenable, Inc.
      winvnc.exe    < 0.01    2,208 K    5,236 K    904    VNC server    UltraVNC
       winvnc.exe        2,520 K    6,260 K    4944    VNC server    UltraVNC
      VGAuthService.exe        4,880 K    10,944 K    1420    VMware Guest Authentication Service    VMware, Inc.
      vmtoolsd.exe    0.08    12,472 K    21,524 K    1464    VMware Tools Core Service    VMware, Inc.
      lnsnmp.exe        1,424 K    3,948 K    1300    IBM Notes/Domino    IBM Corp
      UI0Detect.exe        2,476 K    7,600 K    3764    Interactive services detection    Microsoft Corporation
       UI0Detect.exe    0.01    2,164 K    7,696 K    4340    Interactive services detection    Microsoft Corporation
      svchost.exe    0.02    3,676 K    9,960 K    1792    Host Process for Windows Services    Microsoft Corporation
       rdpclip.exe        1,768 K    6,208 K    7040    RDP Clip Monitor    Microsoft Corporation
      svchost.exe    < 0.01    197,288 K    70,476 K    2860    Host Process for Windows Services    Microsoft Corporation
      svchost.exe        1,896 K    6,112 K    4068    Host Process for Windows Services    Microsoft Corporation
      msdtc.exe        3,068 K    8,000 K    4360    Microsoft Distributed Transaction Coordinator Service    Microsoft Corporation
      CcmExec.exe        23,520 K    59,924 K    1640    Host Process for Microsoft Configuration Manager    Microsoft Corporation
       SCNotification.exe        38,956 K    36,112 K    6868    SCNotification    Microsoft Corporation
      CmRcService.exe    0.01    5,452 K    9,876 K    4088    Configuration Manager Remote Control Service    Microsoft Corporation
      dllhost.exe    < 0.01    4,172 K    11,564 K    3684    COM Surrogate    Microsoft Corporation
      taskhost.exe        7,340 K    16,432 K    7072    Host Process for Windows Tasks    Microsoft Corporation
      policyHost.exe        9,724 K    20,268 K    3128    Microsoft(R) Policy PlatformService Host    Microsoft Corporation
      sppsvc.exe        7,144 K    14,436 K    6944    Microsoft Software Protection Platform Service    Microsoft Corporation
      TrustedInstaller.exe        10,620 K    15,896 K    6324    Windows Modules Installer    Microsoft Corporation
     lsass.exe    0.03    10,428 K    19,808 K    544    Local Security Authority Process    Microsoft Corporation
     lsm.exe    0.01    3,796 K    7,556 K    552    Local Session Manager Service    Microsoft Corporation
    csrss.exe    < 0.01    9,004 K    7,804 K    2976    Client Server Runtime Process    Microsoft Corporation
    winlogon.exe        1,460 K    4,384 K    4996    Windows Logon Application    Microsoft Corporation
     LogonUI.exe        9,272 K    16,852 K    4792    Windows Logon User Interface Host    Microsoft Corporation
    csrss.exe    0.02    2,000 K    5,696 K    2344    Client Server Runtime Process    Microsoft Corporation
    winlogon.exe        1,884 K    5,612 K    2308    Windows Logon Application    Microsoft Corporation
    explorer.exe    0.31    41,480 K    53,580 K    3824    Windows Explorer    Microsoft Corporation
     Autoruns.exe        15,256 K    25,540 K    4808    Autostart program viewer    Sysinternals - www.sysinternals.com
     procexp64.exe    1.46    32,188 K    51,680 K    5280    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com
    Gui.exe    < 0.01    30,588 K    41,396 K    4380    Agent Browser    CentraStage

    Process: System Pid: 4

    Name    Description    Company Name    Path
    ACPI.sys    ACPI Driver for NT    Microsoft Corporation    C:\Windows\system32\drivers\ACPI.sys
    afd.sys    Ancillary Function Driver for WinSock    Microsoft Corporation    C:\Windows\system32\drivers\afd.sys
    AgileVpn.sys    RAS Agile Vpn Miniport Call Manager    Microsoft Corporation    C:\Windows\system32\DRIVERS\AgileVpn.sys
    amdxata.sys    Storage Filter Driver    Advanced Micro Devices    C:\Windows\system32\drivers\amdxata.sys
    asyncmac.sys    MS Remote Access serial network driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\asyncmac.sys
    atapi.sys    ATAPI IDE Miniport Driver    Microsoft Corporation    C:\Windows\system32\drivers\atapi.sys
    ataport.SYS    ATAPI Driver Extension    Microsoft Corporation    C:\Windows\system32\drivers\ataport.SYS
    BATTC.SYS    Battery Class Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\BATTC.SYS
    blbdrive.sys    BLB Drive Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\blbdrive.sys
    bowser.sys    NT Lan Manager Datagram Receiver Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\bowser.sys
    cbk7.sys    Core filter driver component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbk7.sys
    cbstream.sys    Network monitor component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbstream.sys
    cdd.dll    Canonical Display Driver    Microsoft Corporation    C:\Windows\System32\cdd.dll
    cdrom.sys    SCSI CD-ROM Driver    Microsoft Corporation    C:\Windows\system32\drivers\cdrom.sys
    CI.dll    Code Integrity Module    Microsoft Corporation    C:\Windows\system32\CI.dll
    CLASSPNP.SYS    SCSI Class System Dll    Microsoft Corporation    C:\Windows\system32\drivers\CLASSPNP.SYS
    CLFS.SYS    Common Log File System Driver    Microsoft Corporation    C:\Windows\system32\CLFS.SYS
    CmBatt.sys    Control Method Battery Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\CmBatt.sys
    cng.sys    Kernel Cryptography, Next Generation    Microsoft Corporation    C:\Windows\System32\Drivers\cng.sys
    compbatt.sys    Composite Battery Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\compbatt.sys
    CompositeBus.sys    Multi-Transport Composite Bus Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\CompositeBus.sys
    crashdmp.sys    Crash Dump Driver    Microsoft Corporation    C:\Windows\System32\Drivers\crashdmp.sys
    dfsc.sys    DFS Namespace Client Driver    Microsoft Corporation    C:\Windows\System32\Drivers\dfsc.sys
    discache.sys    System Indexer/Cache Driver    Microsoft Corporation    C:\Windows\System32\drivers\discache.sys
    disk.sys    PnP Disk Driver    Microsoft Corporation    C:\Windows\system32\drivers\disk.sys
    dump_diskdump.sys            C:\Windows\System32\Drivers\dump_diskdump.sys
    dump_LSI_SAS.sys            C:\Windows\System32\Drivers\dump_LSI_SAS.sys
    Dxapi.sys    DirectX API Driver    Microsoft Corporation    C:\Windows\System32\drivers\Dxapi.sys
    dxgkrnl.sys    DirectX Graphics Kernel    Microsoft Corporation    C:\Windows\System32\drivers\dxgkrnl.sys
    dxgmms1.sys    DirectX Graphics MMS    Microsoft Corporation    C:\Windows\System32\drivers\dxgmms1.sys
    fdc.sys    Floppy Disk Controller Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\fdc.sys
    fileinfo.sys    FileInfo Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\fileinfo.sys
    flpydisk.sys    Floppy Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\flpydisk.sys
    fltmgr.sys    Microsoft Filesystem Filter Manager    Microsoft Corporation    C:\Windows\system32\drivers\fltmgr.sys
    Fs_Rec.sys    File System Recognizer Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Fs_Rec.sys
    fwpkclnt.sys    FWP/IPsec Kernel-Mode API    Microsoft Corporation    C:\Windows\System32\drivers\fwpkclnt.sys
    hal.dll    Hardware Abstraction Layer DLL    Microsoft Corporation    C:\Windows\system32\hal.dll
    HTTP.sys    HTTP Protocol Stack    Microsoft Corporation    C:\Windows\system32\drivers\HTTP.sys
    hwpolicy.sys    Hardware Policy Driver    Microsoft Corporation    C:\Windows\System32\drivers\hwpolicy.sys
    i8042prt.sys    i8042 Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\i8042prt.sys
    intelide.sys    Intel PCI IDE Driver    Microsoft Corporation    C:\Windows\system32\drivers\intelide.sys
    intelppm.sys    Processor Device Driver    Microsoft Corporation    C:\Windows\system32\drivers\intelppm.sys
    kbdclass.sys    Keyboard Class Driver    Microsoft Corporation    C:\Windows\system32\drivers\kbdclass.sys
    kdcom.dll    Serial Kernel Debugger    Microsoft Corporation    C:\Windows\system32\kdcom.dll
    ks.sys    Kernel CSA Library    Microsoft Corporation    C:\Windows\system32\drivers\ks.sys
    ksecdd.sys    Kernel Security Support Provider Interface    Microsoft Corporation    C:\Windows\System32\Drivers\ksecdd.sys
    ksecpkg.sys    Kernel Security Support Provider Interface Packages    Microsoft Corporation    C:\Windows\System32\Drivers\ksecpkg.sys
    lltdio.sys    Link-Layer Topology Mapper I/O Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\lltdio.sys
    LRAgentMF.sys    LogRhythm System Monitor Mini Filter Driver    LogRhythm, Inc.    C:\Windows\system32\DRIVERS\LRAgentMF.sys
    lsi_sas.sys    LSI Fusion-MPT SAS Driver (StorPort)    LSI Corporation    C:\Windows\system32\DRIVERS\lsi_sas.sys
    luafv.sys    LUA File Virtualization Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\luafv.sys
    mcupdate_GenuineIntel.dll    Intel Microcode Update Library    Microsoft Corporation    C:\Windows\system32\mcupdate_GenuineIntel.dll
    monitor.sys    Monitor Driver    Microsoft Corporation    C:\Windows\system32\drivers\monitor.sys
    mouclass.sys    Mouse Class Driver    Microsoft Corporation    C:\Windows\system32\drivers\mouclass.sys
    mountmgr.sys    Mount Point Manager    Microsoft Corporation    C:\Windows\System32\drivers\mountmgr.sys
    mpsdrv.sys    Microsoft Protection Service Driver    Microsoft Corporation    C:\Windows\System32\drivers\mpsdrv.sys
    mrxsmb.sys    Windows NT SMB Minirdr    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb.sys
    mrxsmb10.sys    Longhorn SMB Downlevel SubRdr    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb10.sys
    mrxsmb20.sys    Longhorn SMB 2.0 Redirector    Microsoft Corporation    C:\Windows\system32\DRIVERS\mrxsmb20.sys
    Msfs.SYS    Mailslot driver    Microsoft Corporation    C:\Windows\System32\Drivers\Msfs.SYS
    msisadrv.sys    ISA Driver    Microsoft Corporation    C:\Windows\system32\drivers\msisadrv.sys
    msiscsi.sys    Microsoft iSCSI Initiator Driver    Microsoft Corporation    C:\Windows\system32\drivers\msiscsi.sys
    msrpc.sys    Kernel Remote Procedure Call Provider    Microsoft Corporation    C:\Windows\system32\DRIVERS\msrpc.sys
    mssmbios.sys    System Management BIOS Driver    Microsoft Corporation    C:\Windows\system32\drivers\mssmbios.sys
    mup.sys    Multiple UNC Provider Driver    Microsoft Corporation    C:\Windows\System32\Drivers\mup.sys
    NDIS.SYS    NDIS 6.20 driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\NDIS.SYS
    ndistapi.sys    NDIS 3.0 connection wrapper driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\ndistapi.sys
    ndiswan.sys    MS PPP Framing Driver (Strong Encryption)    Microsoft Corporation    C:\Windows\system32\DRIVERS\ndiswan.sys
    NDProxy.SYS    NDIS Proxy    Microsoft Corporation    C:\Windows\System32\Drivers\NDProxy.SYS
    netbios.sys    NetBIOS interface driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\netbios.sys
    netbt.sys    MBT Transport driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\netbt.sys
    NETIO.SYS    Network I/O Subsystem    Microsoft Corporation    C:\Windows\system32\DRIVERS\NETIO.SYS
    Npfs.SYS    NPFS Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Npfs.SYS
    nsiproxy.sys    NSI Proxy    Microsoft Corporation    C:\Windows\system32\drivers\nsiproxy.sys
    Ntfs.sys    NT File System Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Ntfs.sys
    ntoskrnl.exe    NT Kernel & System    Microsoft Corporation    C:\Windows\system32\ntoskrnl.exe
    Null.SYS    NULL Driver    Microsoft Corporation    C:\Windows\System32\Drivers\Null.SYS
    pacer.sys    QoS Packet Scheduler    Microsoft Corporation    C:\Windows\system32\DRIVERS\pacer.sys
    parport.sys    Parallel Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\parport.sys
    partmgr.sys    Partition Management Driver    Microsoft Corporation    C:\Windows\System32\drivers\partmgr.sys
    pci.sys    NT Plug and Play PCI Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\pci.sys
    PCIIDEX.SYS    PCI IDE Bus Driver Extension    Microsoft Corporation    C:\Windows\system32\drivers\PCIIDEX.SYS
    pcw.sys    Performance Counters for Windows Driver    Microsoft Corporation    C:\Windows\System32\drivers\pcw.sys
    peauth.sys    Protected Environment Authentication and Authorization Export Driver    Microsoft Corporation    C:\Windows\system32\drivers\peauth.sys
    pnpmem.sys    Plug and Play Memory Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\pnpmem.sys
    prepdrv.sys    Software Metering Process Event Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\prepdrv.sys
    PROCEXP152.SYS            C:\Windows\system32\Drivers\PROCEXP152.SYS
    PROCMON24.SYS            C:\Windows\system32\Drivers\PROCMON24.SYS
    PSHED.dll    Platform Specific Hardware Error Driver    Microsoft Corporation    C:\Windows\system32\PSHED.dll
    rasl2tp.sys    RAS L2TP mini-port/call-manager driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rasl2tp.sys
    raspppoe.sys    RAS PPPoE mini-port/call-manager driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\raspppoe.sys
    raspptp.sys    Peer-to-Peer Tunneling Protocol    Microsoft Corporation    C:\Windows\system32\DRIVERS\raspptp.sys
    rassstp.sys    RAS SSTP Miniport Call Manager    Microsoft Corporation    C:\Windows\system32\DRIVERS\rassstp.sys
    rdbss.sys    Redirected Drive Buffering SubSystem Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rdbss.sys
    rdpbus.sys    Microsoft RDP Bus Device driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\rdpbus.sys
    RDPCDD.sys    RDP Miniport    Microsoft Corporation    C:\Windows\System32\DRIVERS\RDPCDD.sys
    RDPDD.dll    RDP Display Driver    Microsoft Corporation    C:\Windows\System32\RDPDD.dll
    rdpdr.sys    Microsoft RDP Device redirector    Microsoft Corporation    C:\Windows\System32\drivers\rdpdr.sys
    rdpencdd.sys    RDP Encoder Miniport    Microsoft Corporation    C:\Windows\system32\drivers\rdpencdd.sys
    rdprefmp.sys    RDP Reflector Driver Miniport    Microsoft Corporation    C:\Windows\system32\drivers\rdprefmp.sys
    RDPWD.SYS    RDP Terminal Stack Driver    Microsoft Corporation    C:\Windows\System32\Drivers\RDPWD.SYS
    rspndr.sys    Link-Layer Topology Responder Driver for NDIS 6    Microsoft Corporation    C:\Windows\system32\DRIVERS\rspndr.sys
    serenum.sys    Serial Port Enumerator    Microsoft Corporation    C:\Windows\system32\DRIVERS\serenum.sys
    serial.sys    Brotehr Serial I/F Driver (WDM)    Brother Industries Ltd.    C:\Windows\system32\DRIVERS\serial.sys
    spldr.sys    loader for security processor    Microsoft Corporation    C:\Windows\System32\Drivers\spldr.sys
    spsys.sys    security processor    Microsoft Corporation    C:\Windows\system32\drivers\spsys.sys
    srv.sys    Server driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srv.sys
    srv2.sys    Smb 2.0 Server driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srv2.sys
    srvnet.sys    Server Network driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\srvnet.sys
    storport.sys    Microsoft Storage Port Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\storport.sys
    swenum.sys    Plug and Play Software Device Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\swenum.sys
    tcpip.sys    TCP/IP Driver    Microsoft Corporation    C:\Windows\System32\drivers\tcpip.sys
    tcpipreg.sys    TCP/IP Registry Compatibility Driver    Microsoft Corporation    C:\Windows\System32\drivers\tcpipreg.sys
    TDI.SYS    TDI Wrapper    Microsoft Corporation    C:\Windows\system32\DRIVERS\TDI.SYS
    tdtcp.sys    TCP Transport Driver    Microsoft Corporation    C:\Windows\system32\drivers\tdtcp.sys
    tdx.sys    TDI Translation Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\tdx.sys
    termdd.sys    Remote Desktop Server Driver    Microsoft Corporation    C:\Windows\system32\drivers\termdd.sys
    TSDDD.dll    Framebuffer Display Driver    Microsoft Corporation    C:\Windows\System32\TSDDD.dll
    tssecsrv.sys    TS Security Filter Driver    Microsoft Corporation    C:\Windows\System32\DRIVERS\tssecsrv.sys
    tunnel.sys    Microsoft Tunnel Interface Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\tunnel.sys
    umbus.sys    User-Mode Bus Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\umbus.sys
    vdrvroot.sys    Virtual Drive Root Enumerator    Microsoft Corporation    C:\Windows\system32\drivers\vdrvroot.sys
    vga.sys    VGA/Super VGA Video Driver    Microsoft Corporation    C:\Windows\System32\drivers\vga.sys
    VIDEOPRT.SYS    Video Port Driver    Microsoft Corporation    C:\Windows\System32\drivers\VIDEOPRT.SYS
    vm3dmp.sys    VMware SVGA 3D Miniport    VMware, Inc.    C:\Windows\system32\DRIVERS\vm3dmp.sys
    vm3dmp_loader.sys    VMware SVGA 3D Miniport Loader    VMware, Inc.    C:\Windows\system32\DRIVERS\vm3dmp_loader.sys
    vmbus.sys    Virtual Machine Bus    Microsoft Corporation    C:\Windows\system32\drivers\vmbus.sys
    vmci.sys    VMware PCI VMCI Bus Device    VMware, Inc.    C:\Windows\system32\DRIVERS\vmci.sys
    vmmemctl.sys    VMware server memory controller    VMware, Inc.    C:\Windows\system32\DRIVERS\vmmemctl.sys
    vmmouse.sys    VMware Pointing PS/2 Device Driver    VMware, Inc.    C:\Windows\system32\DRIVERS\vmmouse.sys
    vmstorfl.sys    Virtual Storage Filter Driver    Microsoft Corporation    C:\Windows\system32\drivers\vmstorfl.sys
    vmxnet3.sys    VMware PCIe Ethernet Adapter NDIS 6.20 (64-bit)    VMware, Inc.    C:\Windows\system32\DRIVERS\vmxnet3.sys
    volmgr.sys    Volume Manager Driver    Microsoft Corporation    C:\Windows\system32\drivers\volmgr.sys
    volmgrx.sys    Volume Manager Extension Driver    Microsoft Corporation    C:\Windows\System32\drivers\volmgrx.sys
    volsnap.sys    Volume Shadow Copy Driver    Microsoft Corporation    C:\Windows\system32\drivers\volsnap.sys
    vsock.sys    VMware vSockets Service    VMware, Inc.    C:\Windows\system32\DRIVERS\vsock.sys
    wanarp.sys    MS Remote Access and Routing ARP Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\wanarp.sys
    watchdog.sys    Watchdog Driver    Microsoft Corporation    C:\Windows\System32\drivers\watchdog.sys
    Wdf01000.sys    Kernel Mode Driver Framework Runtime    Microsoft Corporation    C:\Windows\system32\drivers\Wdf01000.sys
    WDFLDR.SYS    Kernel Mode Driver Framework Loader    Microsoft Corporation    C:\Windows\system32\drivers\WDFLDR.SYS
    wfplwf.sys    WFP NDIS 6.20 Lightweight Filter Driver    Microsoft Corporation    C:\Windows\system32\DRIVERS\wfplwf.sys
    win32k.sys    Multi-User Win32 Driver    Microsoft Corporation    C:\Windows\System32\win32k.sys
    winhv.sys    Windows Hypervisor Interface Driver    Microsoft Corporation    C:\Windows\system32\drivers\winhv.sys
    WMILIB.SYS    WMILIB WMI support library Dll    Microsoft Corporation    C:\Windows\system32\drivers\WMILIB.SYS
    ws2ifsl.sys    Winsock2 IFS Layer    Microsoft Corporation    C:\Windows\system32\drivers\ws2ifsl.sys
    Friday, May 8, 2020 3:57 PM
  • HI, I would start uninstalling one by one these services.. and see what happen..

    CagService.exe    0.04    96,544 K    114,324 K    1088    CentraStage Service    CentraStage
    AEMAgent.exe    0.04    48,740 K    73,444 K    2668    AEMAgent    
    aria2c.exe    0.01    2,028 K    6,528 K    2756        
    cb.exe    2.05    39,276 K    48,396 K    1192    Cb Response Sensor    Carbon Black, Inc.
    scsm.exe    0.21    518,540 K    530,388 K    1608    LogRhythm System Monitor Service    LogRhythm, Inc.
    nessus-service.exe        1,048 K    3,036 K    2024        Tenable, Inc.
    nessusd.exe    0.03    43,880 K    48,148 K    796        Tenable, Inc.
    winvnc.exe    < 0.01    2,208 K    5,236 K    904    VNC server    UltraVNC
    winvnc.exe        2,520 K    6,260 K    4944    VNC server    UltraVNC


    As you can see, carbon black has also some drivers loaded..
    cbk7.sys    Core filter driver component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbk7.sys
    cbstream.sys    Network monitor component    Carbon Black, Inc.    C:\Windows\system32\drivers\cbstream.sys

    And also LogRythm
    LRAgentMF.sys    LogRhythm System Monitor Mini Filter Driver    
    LogRhythm, Inc.    C:\Windows\system32\DRIVERS\LRAgentMF.sys


    Also, the Brother Serial driver is still necessary to be in memory now that the machine is virtualized?
    serial.sys    Brotehr Serial I/F Driver (WDM)    Brother Industries Ltd.    C:\Windows\system32\DRIVERS\serial.sys

    HTH
    -mario

    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Sunday, May 10, 2020 8:39 AM
  • After removing the LogRythm i dont see the Toke tag at the top anymore. However I see the MMST now at the moment.

    Tag  Type     Allocs            Frees               Diff            Bytes                 Per Alloc

     MmSt Paged            1127080            1110802             16278      713404096            43826        
     CM31 Paged             138280              84191             54089      242323456             4480        
     Ntff Paged             218937             206533             12404       15281728             1232        
     CM25 Paged               2475                  0              2475       11776000             4757        
     MmRe Paged              10015               8819              1196       10833120             9057        
     FMfn Paged            4199009            4178752             20257        8018848              395        
     TSwd Paged                593                573                20        5773680           288684        
     NtfF Paged             529340             525475              3865        5441920             1408        
     Toke Paged           26057137           26054763              2374        4582256             1930        
     CIcr Paged             147820             147378               442        3844704             8698        
     ClfI Paged               1278               1240                38        3827344           100719        
     IoNm Paged          104160803          104143561             17242        3325376              192        
     CMAl Paged               7309               6725               584        2392064             4096        
     NtFs Paged            9910871            9890002             20869        2076624               99        
     CM29 Paged                177                 56               121        1982464            16384        
     Ntf0 Paged            4181056            4164880             16176        1887296              116        
     FSrt Paged             318836             317420              1416        1450176             1024        
     Ntfc Paged             120717             110973              9744        1403136              144        
     Sect Paged            5765677            5756983              8694        1398000              160        
     Obtb Paged              50968              50491               477        1392384             2919        
     FSim Paged             140809             133764              7045        1014480              144        
     CBus Paged           48108101           48106693              1408         912992              648        
     MmSm Paged             304480             290611             13869         887616               64        
     FLfl Paged              35911              28831              7080         792960              112        
     NtFB Paged               1532               1502                30         689536            22984        
     CM16 Paged               1095                980               115         630784             5485        
     Clfs Paged              14543              14473                70         570112             8144        
     NtFS Paged           89851890           89849447              2443         540784              221        
     Ntfo Paged            7299139            7295329              3810         495328              130        
     CM7  Paged              16944               6914             10030         481440               48        
     ArbA Paged                112                  1               111         466496             4202        
     Key  Paged           86588511           86586254              2257         431504              191        
     CM39 Paged              14856              14256               600         402432              670        
     CM   Paged            2260209            2259595               614         326528              531       


    • Edited by lalaJee Friday, May 15, 2020 8:09 AM
    Friday, May 15, 2020 8:07 AM
  • Mmst is something related to the memory manager, and may be absolutely normal given that you r server is a mail server and for sure will handle many many messages..

    Monitor it for some days but probably the leak won't happen anymore.. you can also work with LogRythm to see if they know their driver has a leak and if they can provide an updated driver to solve the problem.

    Good job..

    Thanks!
    -mario

    • Marked as answer by lalaJee Friday, May 29, 2020 11:28 AM
    Friday, May 15, 2020 1:09 PM
  • I found this which might help with the MMST.

    https://techcommunity.microsoft.com/t5/ask-the-performance-team/getting-to-know-the-mmst-pool-tag/ba-p/374971

    Friday, May 15, 2020 3:47 PM
  • Mmst is something related to the memory manager, and may be absolutely normal given that you r server is a mail server and for sure will handle many many messages..

    Monitor it for some days but probably the leak won't happen anymore.. you can also work with LogRythm to see if they know their driver has a leak and if they can provide an updated driver to solve the problem.

    Good job..

    Thanks!
    -mario

    Its been almost 2 weeks and the two test servers memory is on 40%, its not going up now, I think the memory leak issue is fix.

    Thank you so much for all your help.

    Tuesday, May 26, 2020 11:27 AM