I'm having a problem with a possible memory leak on my Windows 8.1.

After few hours (2-3), the used memory goes to about 95% and my laptop slows down a lot and becomes almost impossible to work with. Using Lenovo Thinpad Edge E 531.

Task manager and RamMap show high Paged Pool usage

Using poolmon, I was able to find the Tags causing it.

Using "findstr" on the SeAt, SeTd and SeTl tags doesn't find anything. When used on the Toke tag, it finds several pages of text with vhdmp.sys (vhdmp.inf) highlighted.

Using the strings.exe utility on SeAt tag, I was able to find theese two:

C:\Windows\System32\drivers\NETwew00.sys: utilPanP2PBuild_NoticeOfAbsenseAttribute
C:\Windows\System32\drivers\NETwew00.sys: prvhPanCnctWAC_BuildDeviceAdvertiseAttr

Searching for the other three tags results in over 100 lines.

The lion's share is "Toke".  I'd concentrate on that one alone.

VHDMP.SYS is a driver that facilitates virtual hard disk (VHD) access.

https://msdn.microsoft.com/en-us/library/windows/desktop/dd323654%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Do you use .vhd files in your setup?

For what it's worth, on a big Win 8.1 system on which I don't use VHDs (except in passing as part of nightly backup), the Toke tag has only accumulated about 3 MB of data in a day and a half of running...

-Noel

Apparently the Toke tag is used by many different drivers, or at least that's what findstr tells me. So finding the problematic one won't work this way.

I see what you mean.  "Toke" as a substring appears in 156 .sys files on my system.

I did a more exhaustive search with grepWin and a regex search that would isolate "Toke" between non-alphabetics, and no .sys files turned up at all.  I did however find it in these files under C:\Windows...

• C:\Windows\WinSxS\ManifestCache\3013d139e9b1c046_blobs.bin
• C:\Windows\System32\config\TxR\{889d4981-0b5e-11e3-93f9-90b11c1ccade}.TxR.3.regtrans-ms
• C:\Windows\System32\config\components
• C:\Windows\System32\config\COMPONENTS.LOG2
• C:\Windows\WinSxS\amd64_juniper-vpnplugin-appx_31bf3856ad364e35_6.3.9600.17031_none_47c7b72c35f85a22\JunosPulseVpnBg.dll
• C:\Windows\System32\SMI\Store\Machine\schema.dat
• C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT.LOG1

I had some hopes for that search but I'm not sure these results mean much.  You don't happen to use a VPN do you?

Your approach was the right one, but unfortunately "Toke" doesn't turn up too many results.

You can watch the pool usage grow with poolmon as your system runs...  Does doing anything in particular cause it to happen?

I tried a different approach. I found an article about faulty bluetooth driver on Thinkpad laptops, so I disabled it and for now, the paged pool memory seems to be ok. Toke tag is staying at cca 3MB.

However, the non-paged pool jumped to 1,3GB. The biggest contributor is ECMC tag with 1GB. Findstr shows excsd.sys, which is express cache driver. So I'll look into that.

The memory usage is still pretty high, but at least I feel like I'm getting somewhere now.

This RamMap shows usage with only Chrome browser on, which takes about 700MB in total at the moment.

Is excsd.sys non-Microsoft software?  The name is not familiar to me.

In any case, a cache program might well use RAM to keep data e.g. from disk on a short leash so that it can be retrieved again quickly.

If you find your system generally seems underpowered, you could review all the software that runs in the background with a great tool from Windows Sysinternals:  Autoruns

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

There are almost always extra programs installed by virtually every application package that aren't really needed.  Autoruns allows you to experiment with disabling them and see what (if anything) important you lose.  It's also helpful if an update to some program brings one back after you've already disabled it because you'll see two entries, one of which is disabled.  I find it helps me manage what runs on my system rather nicely.

Good luck!

-Noel

excsd.sys is made by Diskeeper Corporation. It's supposed to monitor the most used data and store it in the SSD of a hybrid disk.

I've talked to a friend who uses similar setup and his Expresscache is taking about 700MB, so it seems like usual thing.

I've downloaded the Autoruns, but it feels a bit confusing now. I'll look into that later, if I need to.

Thank you for your help.