EtwD pool leaking somehow, connected to Discord? (Moved from answers.microsoft forum)

Question

Hi! I'm using Windows 10 Home, and am experiencing a memory leak or fault involving the paged pool. I've looked at a lot of comparable problems, and it seems to be none of them- drivers should be all up to date, and the main leak issue isn't pointing to any of them anyways. It's instead pointing to the EtwD and Etwr paged/nonpaged pools respectively, according to poolmon /b. I've tried findstr, but it turns up nothing (obvious given that the EtwD pools seem to be related to inbuilt Windows event handlers?).

I'd really like some guidance on this subject! Another thing is that this pretty much only happens in a Discord call. I've not tried it with any other voice call applications, but I don't think it'll be the same- regular streaming and even youtube streams have historically seemed fine. This issue has also been happening for well over a year, and isn't consistent: sometimes it works, sometimes it faults.

Will open a support log with the Discord devs if this turns up false. Still, it'd be nice to know more diagnostic tools I could try. I've seen the paged pool get up to over 21GB (UPDATED: seems to have no upper limit, at least when unrestricted. I've seen it get up to 36GB, reducing my computer to under 500mb of available hard drive space), and it's (in around maybe an hour) spiked from a normal 2.5GB to 9GB. Additionally, I cant find anything on what particular process is using all of this up beyond the EtwD pool- nothing shows in task manager, nothing shows on RAMMap.

Thanks!

Reposted from the answers.microsoft.com forum when a moderator directed me here. Please let me know if you need any more information!

Answer 1

Hi there,

You can follow
these below articles to find the driver and memory leak which is causing you this.

Driver verifier is a utility built into the OS that will often find the driver/drivers that are the underlying

cause of BSOD/Crashes.

Driver Verifier-- tracking down a mis-behaving driver.

https://answers.microsoft.com/en-us/windows/forum/all/driver-verifier-tracking-down-a-mis-behaving/f5cb4faf-556b-4b6d-95b3-c48669e4c983

Memtest is easy to use and is an accurate test of your computer memory. It can tell you if your
memory is bad, a motherboard slot is bad, etc.

Memory problems.

https://answers.microsoft.com/en-us/windows/forum/all/memory-problems/21c3f63f-f570-4522-b2
ef-ecc7b7ff6461

Once you find the faulty drivers you can then update or reinstall the specific driver to rectify this issue.

----------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

I am seeing the same thing, now on a regular basis where it used to be once every several days. What I notice is that when it happens, explorer becomes unresponsive and I have to restart it. 5-6 hours of idle time can chew up 60 gigs of memory. I only noticed the memory usage because I'd recently added memory so I was curious about my current usage.

I saw one person say they saw this due to the killer networking software. I disabled that from running and it seemed good for 2 days but then came back.

I tried stopping all the event trace sessions, which also didn't make a difference.

I've swapped between Dell and Intel video and network drivers.

I might actually try uninstalling the network drivers altogether and see if it happens with no networking.

Answer 3

Small update from me on this.

I found a good article on how to look into ETW trace sessions to see what is going on.

https://jaju.home.blog/2019/06/04/tracking-high-memory-usage-on-windows-10-non-paged-pool-and-event-tracing-buffers/

I found an intel data collector (IntelRST) that seemed suspect and I stopped it. Didn't see any difference in memory usage so I went through and stopped absolutely everything except what I couldn't stop. And still didn't see any difference.

But after a bit of poking around I noticed my EtwD paged pool size shown by poolmon had dropped a bit and in the past 20 minutes has dropped a gig or two. So, it seems to be decreasing as slowly as it increased. I was hoping for a quick result so that I could definitively pinpoint a data collector. I guess now I'm going to have to do a more careful review as I stop data collectors after the next reboot (I'm going to remove the Intel Rapid Storage thing first).

Answer 4

Hi,

I am experiencing this EtwD memory leak as well. And to add to your suspicion, the leak can be observed during Google Meet or Zoom calls.
Sometimes, the memory is slowly released afterwards, sometimes, my applications begin to malfunction one after the other.

I use poolmon to identify the culprit. The amounts are ridiculously high.

Maybe this relates to McAfee which is used on this computer?
What do you use?

 Memory:33107824K Avail: 1659220K  PageFlts: 53283   InRam Krnl:14088K P:17271180K  
 Commit:45872616K Limit:51896140K Peak:46182136K            Pool N:3530716K P:20506188K  
 System pool information  
 Tag  Type     Allocs            Frees            Diff       Bytes                  Per Alloc  
  
 EtwD Paged 290273964 (   0) 261198354 (25573) 29075610 16745906544 (  -14730160)         575  
 MmSt Paged   3591909 (  82)   3558140 (  79)    33769    55123328 (      66416)        1632  
 FMfn Paged   6542663 (   0)   6437504 (   0)   105159    50667216 (          0)         481  
 CM25 Paged      5550 (   0)         0 (   0)     5550    34463744 (          0)        6209  
 NtfF Paged    431726 (   0)    413216 (   0)    18510    29616000 (          0)        1600  
 MmRe Paged     33635 (   0)     30835 (   0)     2800    27584208 (          0)        9851  
 Ntff Paged   2027139 (   0)   2013541 (   0)    13598    19145984 (          0)        1408  
 Toke Paged  22834527 ( 917)  22827099 ( 923)     7428    18291136 (     -19968)        2462  
 AlMs Paged   3785105 (   7)   3762612 (  19)    22493    17993232 (      -9856)         799  
 Obtb Paged     65580 (   0)     62274 (   0)     3306    12172432 (          0)        3681  
 Vi12 Paged   3631567 ( 516)   3596804 ( 306)    34763     7563968 (      46784)         217  
 RvaL Paged     11072 (   0)      8867 (   0)     2205     6890096 (          0)        3124  
 Vi54 Paged    398297 (  39)    397136 (  36)     1161     6675232 (       9248)        5749  
 CM16 Paged      2427 (   0)      1143 (   0)     1284     6586368 (          0)        5129  
 FIcs Paged   2512296 (   0)   2481233 (   0)    31063     5964096 (          0)         192  
 MFeI Paged    444238 (   0)    443989 (   0)      249     5800064 (          0)       23293  
 Vi01 Paged   3238152 ( 540)   3228499 ( 437)     9653     5096784 (      54384)         528  
 NtFs Paged  41745479 (  23)  41697962 (  23)    47517     4528944 (          0)          95  
 DxgK Paged  60111507 (4494)  60090836 (4258)    20671     4443008 (      24608)         214  
 Ntfo Paged    595323 (   0)    578517 (   0)    16806     4423856 (          0)         263  
 SeAt Paged 105761484 (3834) 105725648 (3858)    35836     3785904 (      -2304)         105  
 MiSn Paged  36108641 (1478)  36058220 (1477)    50421     3651664 (         80)          72  
 IoNm Paged  85866698 ( 247)  85848193 ( 248)    18505     3567920 (        -80)         192  
 NtfE Paged    119879 (   0)    110852 (   0)     9027     3466368 (          0)         384  
 Key  Paged 530339210 (19866) 530326918 (19867)    12292     3342320 (       -272)         271