How to check for memory leaks?

Discussion in 'ESET NOD32 Antivirus' started by JuliusB, Jul 25, 2009.

Thread Status:
Not open for further replies.
  1. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
    Something is leaking memory in my Vista x64 8GB RAM machine. Now it uses about 40 percent with no additional background programs running. Most of the time it's fine though. Sometimes I can see memory leak and ram usage go all the way to 100percent when installing a big game or extracting big archive. I was never been able to accurately pinpoint what is causing it and after SP2 install I now get random memory leaks like the one currently with 40percent ram usage. Recently I was encoding video with MeGUI/x.264 and saw memory usage climbing again. If it gets to 100 percent it of course becomes VERY slow so I disabled NOD32 real time protection just in case to see what happens as I did not want to cancel encoding process as it takes several hours. Once I disabled real time protection memory usage stopped climbing and stayed here at about 80percent. Re-enabled NOD32 protection again and again saw it climbing to 85percent. Disabled again and again it stopped at 85-86percent.
    I am NOT saying it is NOD32 fault, I am just trying to pinpoint the problem and thus asking how to see what component is using the memory as task manager does not show this.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    exclude the encoding program and any folder it uses from scanning?

    it sounds that AV is placing additional strain on the system already doing demanding encoding work
     
    Last edited: Jul 25, 2009
  3. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
    but I have 8GB of ram. encoding even though demanding does not take so much. I can look at task manager and see encoding program using about 1.5GB only I remember.
    And it seems random now RAM usage is 72percent, I am doing nothing.
    There is a difference between program just taking ram for its work and memory leak.
    The question is what is leaking memory now.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    see if Process Explorer reveals more
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    A memory leak will usualy manifest in all your executables using far more RAM than needed, and not just the one that's causing the leak.

    What exactly Task Manager shows? You would be best to disable all the resident processes (uninstall if you have to, followed by a reboot) one by one until you find the culprit. I know it's tedious, but I really have no better suggestion. I don't know what kind of encoding you do, but 1.5 GB is far too much IMO, this is a CPU intensive task and shouldn't put such strain on RAM...
     
  6. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
  7. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    Turn on show processes from all users. I don't see svchost or ekrn.
     
  8. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Its just superfetch loading whatever it can grab in to memory. Leave it alone, that is normal behavior.
     
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah...sounds like SuperFetch doing its job. With Vista and Win7...just sitting there doing nothing, your RAM will still mostly be used up..it's superfetch going to work. Just leave it be, sit back and enjoy. RAM is meant to be used, else it's wasted money.
     
  10. jyxent

    jyxent Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    10
    I've had this happen on two computers, and it's definitely not due to Superfetch. I'm pretty sure that the memory used by Superfetch shows up as cached in the task manager. So you can look at the free+cached memory to see how much available memory there actually is.

    I have a feeling that this is related to this issue:

    https://www.wilderssecurity.com/showthread.php?t=243188

    I've experienced this issue on two computers running Vista SP2 and Vista SP1, both x64.

    I didn't know how to narrow it down to the system driver, but I experienced the same issue of the nonpaged memory pool using ~2GB of memory on a machine with 3GB total. Since this memory is nonpagable, it is permanently in RAM.

    I've installed the previous version of nod32 (3.0.684) to see if this still occurs.
     
  11. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I just installed the latest NOD v4 on a machine running a fresh copy of Win7 yesterday. Already I see, without even installing anything other than NOD and Opera, that 41% of my system memory is being used just at the desktop, idling. I think I'm seeing the same behavior.

    Is there a way to determine if this is Superfetch or NOD? I'm not very experienced, but I do game a whole lot, so having nearly half my system memory gobbled up by NOD is a dealbreaker for me. But if it's just superfetch, and it's going to stop soon, then I've no issues with it.
     
  12. jyxent

    jyxent Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    10
    Windows 7 doesn't include the Superfetch memory in used memory when displaying how much is used, so your memory usage is not likely from Superfetch. Depending on how much memory you have installed, your usage may be normal. On this machine with 3GB of RAM, there is about 22% memory usage, with nothing running except anti-virus and a couple background applications.

    You can monitor pool nonpaged memory usage by running Performance Monitor. Just open the start menu and type in perfmon. Once you open that, go to the Performance Monitor entry on the left pane. This will bring up a graph on the right side with CPU usage. In the table at the bottom, right click and select add counters. The counter we want is under memory -> pool nonpaged bytes. Add this to the counters, then go back to the graph. If you click on the counter, it will show some statistics about the nonpaged memory. Right now, my counter shows that 73,765,000 bytes are in use, or about 74MB. When I was experiencing the problem before, this was around 1.8GB.

    You can also look at specific driver usage by running verifier from the start menu. Just select display information about the currently verified drivers, then click add and add the netio.sys driver, which seems to be the driver that has the problem. Click next twice to get to the counters page. Looking on my machine, netio.sys is currently using 6696 bytes, or about 6KB.
     
  13. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Huh. Well, the nonpaged bytes reads at about 65 MB, and hasn't peaked. I guess Win7 just uses a lot more of the physical memory than I'm used to seeing in WinXP. I never saw that top out above 300 MB in XP at the desktop on this setup, so seeing it guzzle ~1GB is a bit surprising. I suppose this impacts performance, but I'll have to wait and see how.

    Thanks for the tip, though! I'll keep my eye on the nonpaged bytes reading to see if I'm observing the same leak as you in the future.
     
  14. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
  15. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    That's still superfetch.
     
  16. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
  17. jyxent

    jyxent Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    10
    I agree. If SuperFetch did show up in the memory usage, his machine would display 100% memory usage, rather than 69%, since there is 0 free memory.

    I've been trying out nod32 3.0 lately, and I haven't had an instance of my memory usage going way up again. So, this may not be an issue with the older version. Although, it is possible it still happens and I just haven't come across it yet.

    Right now, my system is sitting at about 3.3GB memory usage out of 8GB. This is with Google Chrome, a VMware instance using 1GB of memory, and several background applications open.

    Edit: You might want to add the working set column to the processes tab in task manager to get a better idea of memory usage if you haven't already (View->Select Columns). The processes tab shows the private working set by default. For my VMware instance, it only shows 23MB. The working set column shows 1.2GB, which is the total memory allocated by the VMware instance.
     
    Last edited: Aug 13, 2009
  18. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    It is still superfetch. The column you are looking at in task manager (assuming you left it on the default settings which it appears you have) is the Private Working Set. This is the amount of memory the process absolutely has to have allocated to it to keep functioning and cannot be paged out. This is not, however, how much physical memory is being used by a process. That is shown by the Working Set. Superfetch's aggressive caching model will preload pages to a process that expects you to use based on monitored usage habits which can balloon out the Working Set and create a large desparity between that number and the Private Set. The sum of your Working Set is the Physical Memory Usage percentage you see in task manager. In addition to prefetching pages for processes that are in-use, it also prefetches for processes that are currently not running but are likely to. The sum of the prefetched processes running and not running is your Physical Memory Cached count.

    Rule of thumb: If your physical memory usage is a higher percentage but most of it is allocated in Cache, it is Superfetch doing its thing and you don't have a problem. If your physical memory usage is high and the cache is empty, then you have a problem because you are going to be thrashing the page file.
     
  19. jyxent

    jyxent Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    10
    SuperFetch is not related to the working set of a process, at all. SuperFetch merely preloads applications in memory so that it can read them from memory when you actually start them, making them start faster.

    As I said in my previous post, the working set is the total memory used by a process, private and sharable. Althrough looking at the working set can give an inflated view of memory usage, it will give you a better idea of where memory is going. For example, if two processes share 500MB of memory, it will show up in the working set for both, making it look like memory usage is 500MB higher than it actually is. But, when running an single instance of an application, such as VMware, you won't get an accurate view of memory usage unless you look at the working set, as most of the memory used is shareable.

    Looking at your memory usage, I doubt you are suffering from the nonpaged pool memory bug, as there is only 136MB allocated. You will probably need to look at the working set to get a picture of which applications are actually using your memory.
     
Thread Status:
Not open for further replies.