In my previous post regarding the high memory usage issue with my new HP Envy laptop, which runs on Windows 8.1 Pro with 8GB RAM, I disabled Ndu.sys which, according to some people’s experience, was said to be the culprit. However, Ndu.sys does not seem to be the root cause of my issue because the high memory usage issue came back again yesterday, and eventually my computer crashed with a blue screen shown below.
After some more searches, I decided to follow the suggestion in a post from Windows 8 Forum to use Poolmon to find out which driver is causing memory leak.
1. Install Windows Driver Kit (WDK) 8.1
2. By default, WDK 8.1 will be installed under C:\Program Files (x86)\Windows Kits\. Poolmon.exe is under C:\Program Files (x86)\Windows Kits\8.1\Tools\x64 (for my 64-bit Windows 8.1). Then launch a Command Prompt with administrator rights, then find the directory where poolmon.exe is located, and type in the following command to launch poolmon:
poolmon -b
You can also add “-p” to the command to sort the result by pool and non pool as suggested in drigo’s comment below.
poolmon -b -p
From the poolmon result we can see that the pool tag “NDnd” is causing the most memory allocation, about 400MB!
3. Now let’s find out which driver uses the bad pool tag. While keeping poolmon running, open another Command Prompt with admin rights and type in the following command:
findstr /s NDnd *.sys
The command may generate lots of gibberish in the window, but the first line usually tells you which driver uses the pool tag. In this case, ndis.sys is using NDnd pool tag. Ndis.sys is related to network adapters, so it tells me that some network adapter is causing the memory leak. I went to HP web site and updated my network drivers, then I remembered my laptop comes with HP Support Assistant which can detect update automatically, so I launched this software to see if I could find something helpful. Surely enough, HP Support Assistant detected there is new version Bluetooth driver (yes, my laptop has Bluetooth).
I reboot my laptop after installing all available updates, then launched poolmon again:
The result shows no abnormal pool tag after the network drivers were updated. Then I launched RAMMap and the result confirmed the non-paged pool is not high.
With several applications running, Task Manager shows about 30% RAM usage:
I think the high memory usage issue has been fixed, but I will keep an eye on it for several more days to see if it will come back.
If this helps you, please let me know by leaving a comment.
Hey..this really helped me out! thank you so much! with your help i found out that samsung rapid mode is using 1.4GB of Non-paged pool memory.
But u made an error, your NDnd is using 400mb of ram, not 4gb, because its in bytes..as u can see, u have 8318996k (8124MB) memory, and Pool N is 831456K, which is 811MB..and your NDnd is in Bytes, 441471120B = 431124KB = 421MB 🙂
Thank you drigo! You are right. It should be 400MB, not 4GB. I have edited the original post.
Cool..but doesn’t matter, what matters is that this helps people 🙂 it most certainly helped me 🙂
while you are at editing, u could add to use the “poolmon -b -p” command, it also sorts by pool or non pool 🙂 thats it from me..once again, thank you!
Thanks again and I am glad it helped you. I added the command in the original post as you suggested.
this well written article was a big help to me. a few things to note:
for the findstr command, I personally used:
findstr /m /l /s TaG *.sys
this allowed me to get only the filenames in the results as well as to search for the string with case sensitivity
I also took advantage of the pooltag.txt which is available with a Windows SDK Debugging tool that can provide you names of the drivers when adding the -g switch.