Kernel Mode Leak Detection Mike Morales Support Professional Microsoft Corporation

1
Kernel Mode Leak Detection Mike
MoralesSupport Professional Microsoft
Corporation
2
Memory Leak Triage

• Purpose To demonstrate how to recognize and
  isolate kernel mode memory leaks on Windows
  2000.

3
Detection Tools

• Performance Monitor
• Global Flags (Gflags.exe)
• Poolsnap
• Driver Verifier
• Kernel Debugger

4
Performance Monitor

• Memory Pool Counters
• Object Memory
• Counter Pool Nonpaged Allocs
• Counter Pool Nonpaged Bytes
• Counter Pool Paged Allocs
• Counter Pool Paged Bytes

These counters are kernel mode memory counters
that should be observed to determine if a memory
leak exists.
5
Problem Detected In Perfmon
Example of kernel mode memory leak
6
Gflags Utility

• Gflags.exe is a Windows NT resource kit
  utility. The server will need to be rebooted
  after setting the correct Gflags entry and then
  clicking on Apply and then OK. Youll want to
  enable pool tagging to use the PoolSnap utility.

7
Tag Capturing Tools

• After enabling pool tagging through the Gflags
  utility, there are two ways in which we can find
  the offending tag
• Using Poolsnap
• !poolused x (this requires a memory dump)

8
!Poolused

• As an alternative to using the Poolsnap logs, you
  can also dump the system to get a memory dump,
  then load it up in the debugger and issue the
  !poolused command.
• Make sure to specify the number 3 after issuing
  the !poolused command. This will display the pool
  tags in the same manner as the poolsnap logs.

9
Loading the Dump

• Use a batch file
• To make the process of loading up dump files
  easier for you, create a batch file for each type
  of dump you may receive. The batch files are very
  small. Heres an example of the Windows 2000
  batch file.

set _NT_SYMBOL_PATH\\Server1\Symbols\NT\2195-RTM\
i386\symbols set _NT_ALT_SYMBOL_PATHc\debug\hotf
ixes\symbols\\lcdebug\Symbols\NT\2195sp1\i386\sym
bols kd -server npipepipemichmor -z 1
10
Loading the Dump (continued)

• After creating the batch file, from a command
  prompt, type out the batch file name and the path
  to the dump file, then press Enter.
• Example
• c\debuggerswin2kdebug.cmd \\Server1\share1\MEMOR
  Y_LAB1.DMP

11
Example of !Poolused

• Heres the example of a !poolused command
  identifying the offending tag.

12
Look at Virtual Memory

• While you have the dump loaded, you might also
  want to verify any potential resource issue by
  using the !vm command.

13
Pool Tag Has Been Identified, Now What?

• With Windows 2000 and the addition of the Driver
  Verifier feature, we are able to track each
  drivers pool allocations. So, now we have the
  pool tag, but in this example, we dont know what
  driver is causing the leak. What should we do
  now?
• Narrow the list of drivers down to non-Microsoft
  drivers.
• Now we can take that list and track their pool
  allocations through Driver Verifier.
• To run Driver Verifier, simply type in verifier
  from the Run box.

14
Example of Driver Verifier

• Type in verifier from the Run line.

15
Results from Driver Verifier

• Demo from the VERIFY_MEMORY.DMP file.
• Notice that the bluescreen code is a C4 that is
  specific to the Driver Verifier. If you get any
  other stop code, it is not due to the setting in
  Driver Verifier.
• The command to type in is !verifier 3, which will
  list the driver being tracked and all of its
  allocations.

16
Additional Notes

• Location for latest debuggers
• http//www.microsoft.com/ddk/debugging/
• When you install the latest debuggers, the latest
  Gflags.exe utility will also be installed.

17
(No Transcript)