one day,
The laptop I used for work suddenly became more and more laggy until it crashed.
I thought it was just a convulsive behavior of Windows 11. It was because the Windows 11 Resource Manager was often stuck in the past (it was much better after upgrading to a smaller version).
Then press and hold the power button to force a shutdown and restart.
However, it slowly became more and more stuck, until it got stuck and had no choice but to restart again.
After booting, open the task manager to observe the CPU and memory usage in real time.
It is found that the memory usage is slowly increasing at a subtle speed. After reaching %60, the processes are sorted according to the size of the memory usage. The top few are commonly used applications. Even after shutting down, the rising trend is still not stopped.
After 80%, smartly save each file you are writing and wait for the computer to crash.
After another forced restart, I immediately opened the task manager, recalled what operations I had done recently, and opened the anti-virus software. Everything was normal, but suddenly I remembered that I had recently installed a certain software.
Wait for the memory to continue to increase, and then check the software-related processes, but nothing can be seen. . I suddenly discovered that the software seemed to have opened many small processes. Although each process occupied a small amount of memory, I simply ignored it. Who knows what other invisible processes were opened? I asked the relevant personnel of the software to ask.
The relevant personnel expressed confusion, and I was also confused. I forgot the reason for asking and pretended to be calm.
Finally, I had no choice but to rule out the cause, and started a new round of memories, but nothing happened.
Later, according to "international practice", when encountering a problem, we do not start analyzing the problem from the underlying principles; . Directly Google Baidu.
I found an article about locating Windows memory leaks and used the PoolMon tool. Poolmon is a core memory leak detection tool under the Windows platform.
Go to the official website to download the Poolmon and RAMMap tools.
Microsoft introduction to RAMMap:RAMMap - Sysinternals | Microsoft Learn
Microsoft introduction to PoolMon:PoolMon - Windows drivers | Microsoft Learn
Poolmon is integrated in wdk and needs to be installed by running wdksetup.exe.
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/download-the-wdk
It feels like racing against time to download and install it before the next crash. .
Download and installation completed, open and use!
Download RAMMap directly, decompress it, open it and use it.
poolmon: Go to the "absolute path directory of poolmon", open cmd, the location of poolmon.exe is C:\Program Files (x86)\Windows Kits\10\Tools\x64\poolmon.exe.
.\poolmon.exe -b starts running, -b is arranged in reverse order according to the memory byte size.
At this time, the memory has reached 58%. Can I solve this problem before it freezes?
First, use RAMMap to check the high-occupancy processes and find the MemCompression process. This process cannot be seen in the task manager that comes with Windows. This process is the official memory compression function. What is weird is that the memory and CPU have increased, regardless of Sanqi. Twenty-one, turn off this function directly. Run Disable-MMAgent -mc as administrator. That's not the problem, as expected.
Then use poolmon to locate NpCD, whose type is Nonp. This is a memory occupation that cannot be found in the task manager. It is found that it applies for (Allocs) a large amount of memory, but releases (Frees) 0 memory, which is an obvious memory leak. Continue to observe for a while. Time, it was found that the total memory (Bytes) occupied by it continued to increase. It seemed to be a memory leak. Constant applications caused the occupation to continue to increase. The corresponding task manager memory has reached 70%. Outside, the setting sun still had its afterglow, mixed with the lights of the world.
Next, start locating the "initiator", cd to the root directory of drive C, use findstr /m /l /s NpCD *.sys to find the system driver module file with the location tag NpCD.
Race against memory!
Thinking about life, I looked at a tree outside and a stone under the tree, and suddenly felt relieved. Why be nervous? In the worst case, I would continue to force restart.
The facts were as I thought. Until the computer got stuck, findstr could not be found. It seemed that "bread may not be there, there are always unexpected problems." It turned out that I entered the wrong command, NpCD and *.sys There should be a space in between, but I thought there wasn't one when I typed it. So there was no response, and I thought it was because I had too many files on my C drive.
After the forced restart, continue!
The location was successful. It was caused by npcap. Memories of the past came flooding back. I vaguely remembered that I installed this software recently in order to capture network traffic packets. Although it worked, the installation process was not smooth because it was "incompatible" with a certain local software. It may be this reason that causes npcap to have problems and memory leaks.
Ever since, uninstall npcap and related files.
Problem solved successfully! After observing for a long time, the memory remained normal, and there were no more abnormal growth and stuck problems.
Just record it and it’s over.