I have been running out of RAM as of late and have narrowed down that something is leaking in the non-paged pool. My non-paged pool is almost 4GB. In addition to that, the working set of my paged pool is another 4GB (in use by an extremely similar tag). This is after a total uptime of 4 hours. Before my last reboot, my Non-paged pool had grown to about 7.5GB and paged had grown to 15.7 GB.
I am running Windows 10.0.14986. The problem started after the last update. Given that it is an Insider Build, I'm not so much complaining as taking this opportunity to learn how to troubleshoot.
Here are screenshots from task manager, process explorer, and poolmon.
taskmgr.exe:
procexp.exe:
poolmon.exe:
So far I have not been able to find the string "Etwr" in C:\Windows\system32 (using findstr /s Etwr *.sys)
Looking online for the Etwr tag gives me:
Etwr – nt!etw – Etw ReplyQueue Entry
I have no clue what to make of that, as my understanding is that that would imply that the issue is with the Event Tracer which is a logging/performance analysis tool.
Answer
Both tags are used by Windows to do tracing with Event Tracing for Windows (ETW). The pooltag.txt from Windows Debugger lists them as the following:
EtwR - nt!etw - Etw Registration
EtwD - nt!etw - Etw DataBlock
Check which Event loggers re running in computer management->performance->Data Collector Sets:
and stop some of them until you find which one casues the usage. If you stop the Eventlog-XXX ones, you no longer get entries in event log if you have crashes.
No comments:
Post a Comment