How to identify which process committed memory
Solution 1:
PowerShell Solution
1. Get top 10 processes using the highest amount of Virtual Memory
Get-Process | Sort PagedMemorySize-Desc | Select Name, PagedMemorySize, VirtualMemorySize -First 10
Output Example
Name VirtualMemorySize PagedMemorySize
---- ----------------- ---------------
UrBackupClientBackend 685735936 548347904
explorer 1529909248 478908416
Microsoft.Photos 1303465984 433094656
MBAMService 661987328 228876288
MicrosoftEdgeCP 894496768 219799552
MsMpEng 667783168 205774848
MicrosoftEdgeCP 874590208 202584064
mstsc 440627200 185860096
javaw 886177792 185556992
MicrosoftEdgeCP 802746368 146792448
2. Get sum of all committed Virtual Memory
Get-WmiObject win32_operatingsystem | Select @{L='commit';E={($_.totalvirtualmemorysize - $_.freevirtualmemory)*1KB/1GB}}
Output Example
commit
------
4.56205749511719
Supporting Resources
How to get Memory Committed Bytes per process
-
Process.VirtualMemorySize Property
"The amount of virtual memory, in bytes, that the associated process has requested."
Use PowerShell to Find System Committed Memory
-
Win32_OperatingSystem class
TotalVirtualMemorySize
Data type:
uint64Access type:
Read-onlyQualifiers:
Units ("kilobytes")Number, in kilobytes, of virtual memory. For example, this may be calculated by adding the amount of total RAM to the amount of paging space, that is, adding the amount of memory in or aggregated by the computer system to the property, SizeStoredInPagingFiles.
Process.PeakPagedMemorySize Property
-
Process.PagedMemorySize Property
"Gets the amount of paged memory, in bytes, allocated for the associated process."
"The amount of memory, in bytes, allocated by the associated process that can be written to the virtual memory paging file."
- Process.PrivateMemorySize Property
Solution 2:
Process Explorer can show this information per-process :
Here is how to get the above screen in Process Explorer :
- Click menu View > Show Lower Pane
- Click menu View > Lower Pane View > DLLs
- Click menu View > Show Unnamed Handles and Mappings
- Click on a process in the upper pane
- Right-click on the headers of the lower pane and choose Select Columns...
- In the DLL tab, tick Mapped Size and Mappinq Type
- Click OK
Process Hacker can similarly show this information, after choosing and double-clicking on a process, in the Handles tab uncheck Hide unnamed handles.
Solution 3:
In Process Explorer's processes list, the "Private Bytes" column shows each process's contribution to commit charge. It is not necessary to look at the lower pane view.
Be sure to run Process Explorer as Administrator.
Task Manager shows the same information on the Details tab in the "Commit size" column.
Note that what Task Manager shows in the "Memory (private working set)" column is not the same thing, even though it uses the word "private". That is showing the subset of each process's commit charge that happens to be in RAM for that process at the moment.
Per Windows Internals, the contributors to the total commit charge are:
- private committed v.a.s. in each process
- pagefile-backed mapped v.a.s. (does not show up in the process' "private bytes")
- copy-on-write regions of mapped v.a.s.
- Nonpaged and paged pool
- other kernel-space allocations not explicitly backed by files (for example, pageable code in drivers or in ntoskrnl.exe does not count, as it is backed by the respective executable files)
- Kernel stacks - every thread has one
- Page tables
- Space for page tables not yet actually allocated, but for which committed v.a.s. already exists
- "Address Windowing Extension" (AWE) allocations
Windows Internals goes into more detail on what each of these things is and why each counts toward the systemwide commit charge. Unfortunately there are not counters for the virtual sizes of many of these things, which is what commit charge is about. RAMmap shows the physical sizes of a few of them but not the virtual.