U
Uiguedail
Hello to all
I have detected a memory leak in Windows kernel
Environment:
2016 Server (2016 DataCenter edition) acting as a domain controller
Windows 10 workstations (Windows 10 Enterprise 2016 LTSB) and
2016 Servers (2016 DataCenter editions) in other roles, such as terminal servers.
Occurs on:
Both Windows 2016 Servers and Windows 10 Workstations
Most likely the problem also occurs on lighter editions of Windows OS.
The culprit, security-hardening GPO setting, set into the domain controller:
"Advanced Audit Policy Configuration"
"System"
"Audit System Integrity"
"Success and Failure"
For example, Microsoft's recommendation
"SCM Windows Server 2016 - Member Server Baseline - Computer (20180219)"
sets this GPO setting
Symptoms:
Any application that is started leaks 5-20 kB memory on the kernel side.
Servers and workstations run out of memory after 1-2 weeks, depending on the operating conditions.
The Taskmanager does not show any application using huge amounts of memory,
just that the total amount of available memory gets lower and lower.
It does not seem to matter if the application is 32-bit or 64-bit.
Steps to verify:
1) Install poolmon from the Windows Driver toolKit (WDK) into the target machine
2) You can use any test application or create a test .cmd file containing
@echo off
:loop
cmd /c "echo foo"
timeout /t 1
goto loop
3) Set the GPO setting so that it applies in the target machine,
preferably in a domain environment and by using "gpupdate /force"
4) Start poolmon from the command prompt using the following command-line
poolmon -b -iToke
5) Start the .cmd file created in step 2 from the command prompt
6) Watch the amount of kernel memory used by driver tag "Toke" to get ever higher, about 5-10 kB every screen update
Eventually this eats up all available memory.
7) After a while, set the GPO setting from "Success and Failure" to "Failure" only.
Use "gpupdate /force" if needed. The memory counters reported by poolmon should stabilize shortly.
After a while, the memory counters of the driver tag should remain somewhat constant instead of growing all the time.
Notes:
Some other driver tags also show ever growing memory counters such as "SeAt" tag,
but the "Toke" tag had the highest counter values.
This was tested originally on virtual machines.
I'd like to have this problem corrected on the kernel side.
// U
Continue reading...
I have detected a memory leak in Windows kernel
Environment:
2016 Server (2016 DataCenter edition) acting as a domain controller
Windows 10 workstations (Windows 10 Enterprise 2016 LTSB) and
2016 Servers (2016 DataCenter editions) in other roles, such as terminal servers.
Occurs on:
Both Windows 2016 Servers and Windows 10 Workstations
Most likely the problem also occurs on lighter editions of Windows OS.
The culprit, security-hardening GPO setting, set into the domain controller:
"Advanced Audit Policy Configuration"
"System"
"Audit System Integrity"
"Success and Failure"
For example, Microsoft's recommendation
"SCM Windows Server 2016 - Member Server Baseline - Computer (20180219)"
sets this GPO setting
Symptoms:
Any application that is started leaks 5-20 kB memory on the kernel side.
Servers and workstations run out of memory after 1-2 weeks, depending on the operating conditions.
The Taskmanager does not show any application using huge amounts of memory,
just that the total amount of available memory gets lower and lower.
It does not seem to matter if the application is 32-bit or 64-bit.
Steps to verify:
1) Install poolmon from the Windows Driver toolKit (WDK) into the target machine
2) You can use any test application or create a test .cmd file containing
@echo off
:loop
cmd /c "echo foo"
timeout /t 1
goto loop
3) Set the GPO setting so that it applies in the target machine,
preferably in a domain environment and by using "gpupdate /force"
4) Start poolmon from the command prompt using the following command-line
poolmon -b -iToke
5) Start the .cmd file created in step 2 from the command prompt
6) Watch the amount of kernel memory used by driver tag "Toke" to get ever higher, about 5-10 kB every screen update
Eventually this eats up all available memory.
7) After a while, set the GPO setting from "Success and Failure" to "Failure" only.
Use "gpupdate /force" if needed. The memory counters reported by poolmon should stabilize shortly.
After a while, the memory counters of the driver tag should remain somewhat constant instead of growing all the time.
Notes:
Some other driver tags also show ever growing memory counters such as "SeAt" tag,
but the "Toke" tag had the highest counter values.
This was tested originally on virtual machines.
I'd like to have this problem corrected on the kernel side.
// U
Continue reading...