Memory Leak D2d
Hello,
Can someone please help? We've been having a memory leak on our Windows 2003 SP2 Standard server. Overtime the servers stops responding and an event 2020 is logged where pool is empty. A restart is required to fix it.
I've been running Poolmon.exe and noticed the D2d tag is steadily increasing.
Example: On 6/22
Memory: 3538236K Avail: 3001188K PageFlts: 275 InRam Krnl: 2836K P:76928K
Commit: 340184K Limit:5475744K Peak:1205688K Pool N:24988K P:77520K
System pool information
Tag Type Allocs Frees Diff Bytes Per Alloc
SaEe Paged 5145589 ( 0) 5144771 ( 0) 818 44232136 ( 0) 54073
UlHT Paged 1 ( 0) 0 ( 0) 1 8392704 ( 0) 8392704
R100 Paged 47 ( 0) 2 ( 0) 45 5460840 ( 0) 121352
MmSt Paged 87333 ( 4) 84596 ( 4) 2737 4091952 ( 0) 1495
Ntff Paged 5097 ( 0) 3506 ( 0) 1591 1298256 ( 0) 816
Gh15 Paged 30209 ( 24) 30048 ( 24) 161 1193504 ( 0) 7413
Wmit Paged 13 ( 0) 2 ( 0) 11 655688 ( 0) 59608
D2d Paged 54394 ( 0) 27197 ( 0) 27197 652728 ( 0)
24
CM35 Paged 52 ( 0) 24 ( 0) 28 573440 ( 0) 20480
Ttfd Paged 1109 ( 0) 736 ( 0) 373 543784 ( 0) 1457
CMAl Paged 434 ( 0) 302 ( 0) 132 540672 ( 0) 4096
Now on 6/29
Memory: 3538236K Avail: 2642836K PageFlts: 94681 InRam Krnl: 3436K P:194420K
Commit: 549100K Limit:5475744K Peak:1205688K Pool N:54616K P:195104K
System pool information
Tag Type Allocs Frees Diff Bytes Per Alloc
D2d Paged 5321430 ( 14) 2660715 ( 7) 2660715 63857160 ( 168) 24
SaEe Paged 386885068 ( 220) 386884236 ( 220) 832 44421208 ( 0) 53390
MmSt Paged 8773613 ( 25) 8752239 ( 25) 21374 13435808 ( 0) 628
As you can see it has jumped up quite a bit and eventually will run out of paged pool memory. The problem I am having is locating the driver or application file that maybe causing this. I've tried using findstr and strings sysinternal utility
but could not locate the D2d tag anywhere. I think MRTG application maybe causing this. I am running MRTG with Perl as a task sequence that runs every 2 minutes. I've noticed when running poolmon the D2d tag increases
in bytes and diff and does not go down when task is completed. To be sure that MRTG may be causing it, is there any way to verify that it is? What exactly does the the D2d pooltag actually perform?
Thanks!Rich
June 29th, 2011 12:01pm
D2D refers to the IoVolumeDeviceToDosName API but we have seen cases involving SYMEVENT.SYS and D2D tag leaks.
If %windir%\system32\drivers\symevent.sys is present, what version number is it?
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 11:45pm
Thank you for your reply. We were suspecting that Symantec Endpoint Protection 11.0.6300.803 was causing the issue but could not relate it to any driver using poolmon. Hopefully it is the cause as there are some bugs in this version of SEP.
The version of the symevent.sys file is 12.8.3.22.
Thanks!Rich
July 2nd, 2011 1:19am
Yeah, I would suggest following up with Symantec to see if they are aware of a symevent.sys memory leak and if there is an updated version available yet.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2011 2:24am