Title: Kernel Mode Leak Detection Mike Morales Support Professional Microsoft Corporation
1Kernel Mode Leak Detection Mike
MoralesSupport Professional Microsoft
Corporation
2Memory Leak Triage
- Purpose To demonstrate how to recognize and
isolate kernel mode memory leaks on Windows
2000.
3Detection Tools
- Performance Monitor
- Global Flags (Gflags.exe)
- Poolsnap
- Driver Verifier
- Kernel Debugger
4Performance Monitor
- Memory Pool Counters
- Object Memory
- Counter Pool Nonpaged Allocs
- Counter Pool Nonpaged Bytes
- Counter Pool Paged Allocs
- Counter Pool Paged Bytes
These counters are kernel mode memory counters
that should be observed to determine if a memory
leak exists.
5Problem Detected In Perfmon
Example of kernel mode memory leak
6Gflags Utility
- Gflags.exe is a Windows NT resource kit
utility. The server will need to be rebooted
after setting the correct Gflags entry and then
clicking on Apply and then OK. Youll want to
enable pool tagging to use the PoolSnap utility.
7Tag Capturing Tools
- After enabling pool tagging through the Gflags
utility, there are two ways in which we can find
the offending tag - Using Poolsnap
- !poolused x (this requires a memory dump)
8!Poolused
- As an alternative to using the Poolsnap logs, you
can also dump the system to get a memory dump,
then load it up in the debugger and issue the
!poolused command. - Make sure to specify the number 3 after issuing
the !poolused command. This will display the pool
tags in the same manner as the poolsnap logs.
9Loading the Dump
- Use a batch file
- To make the process of loading up dump files
easier for you, create a batch file for each type
of dump you may receive. The batch files are very
small. Heres an example of the Windows 2000
batch file.
set _NT_SYMBOL_PATH\\Server1\Symbols\NT\2195-RTM\
i386\symbols set _NT_ALT_SYMBOL_PATHc\debug\hotf
ixes\symbols\\lcdebug\Symbols\NT\2195sp1\i386\sym
bols kd -server npipepipemichmor -z 1
10Loading the Dump (continued)
- After creating the batch file, from a command
prompt, type out the batch file name and the path
to the dump file, then press Enter. - Example
- c\debuggerswin2kdebug.cmd \\Server1\share1\MEMOR
Y_LAB1.DMP
11Example of !Poolused
- Heres the example of a !poolused command
identifying the offending tag.
12Look at Virtual Memory
- While you have the dump loaded, you might also
want to verify any potential resource issue by
using the !vm command.
13Pool Tag Has Been Identified, Now What?
- With Windows 2000 and the addition of the Driver
Verifier feature, we are able to track each
drivers pool allocations. So, now we have the
pool tag, but in this example, we dont know what
driver is causing the leak. What should we do
now? - Narrow the list of drivers down to non-Microsoft
drivers. - Now we can take that list and track their pool
allocations through Driver Verifier. - To run Driver Verifier, simply type in verifier
from the Run box.
14Example of Driver Verifier
- Type in verifier from the Run line.
15Results from Driver Verifier
- Demo from the VERIFY_MEMORY.DMP file.
- Notice that the bluescreen code is a C4 that is
specific to the Driver Verifier. If you get any
other stop code, it is not due to the setting in
Driver Verifier. - The command to type in is !verifier 3, which will
list the driver being tracked and all of its
allocations.
16Additional Notes
- Location for latest debuggers
- http//www.microsoft.com/ddk/debugging/
- When you install the latest debuggers, the latest
Gflags.exe utility will also be installed.
17(No Transcript)