Tracking down a memory leak
I previously asked a question about a server that had a very high nonpaged pool memory utilization and someone explained how to use poolmon to track down the problem driver.
I did this, but I'm not sure I have identified the issue.
Running poolmon:
Now searching for fwpx I only got one "match":
dsac.exe? The AD administrative center is causing the memory leak?- that obviously can't be right, but that was the only match findstr found.
Googling the fwpx pool tag I can see some issues people had with the McAfee anti-virus product (but Symantec SEP is install on this server).
According to this Technet blog post the fwpx pool tag is the related to this driver: Fwpx - fwpkclnt.sys - WFP NBL tagged context
But if that is the case why didn't findstr locate it?
Then I googled more and found this kb: https://support.microsoft.com/en-us/kb/2885980
According to the kb the FwpsAllocateCloneNetBufferlist() API leaks memory- awesome.
But I'm still not 100% this is the issue. Before installing the hot-fix how can I confirm this problem is caused by this WFP bug? I would assume its SEP that is using the buggy WFP API. This makes sense because I saw McAfee users (another AV product that might be using the API) having similar memory leak issues.
But to be sure, how can I identify the program that is calling the WFP API- if that is what is actually even happening.
Didn't have time to follow what magicandre1981 suggested, but was able to confirm that the patch solved the issue. Maybe this will be helpful to others that have a similar memory leak issue.
Another thing we noticed: running a full Windows update seems to include this fix, but in some other patch. After we ran a full windows update on another server with this issue (instead of applying the specific patch) the patch would not install throwing a very unhelpful "this patch does not apply to this platform" sort of error. It turns out this issue was resolve in some other update.
So I guess applying the patch or making sure the server is completely updated will solve the FwpsAllocateCloneNetBufferlist()
API leak.