0xDEADBEEF 43 Posted July 31, 2017 Share Posted July 31, 2017 (edited) I am helping someone to report a potential memory issue. He is using ESET Smart Security 10.1.219. The problem was that the available memory kept decreasing after booting up the machine. He didn't find any process that was taking up such huge amount of memory. He couldn't even browse website properly in such scenario. His observation was as long as the web browser (firefox) was open, the available amount of memory kept decreasing, and finally made computer unusable. After turning off the "Enable application protocol content filtering" under "Web and Email", he could browse the website and the avail RAM didn't decrease any more. However, the available amount of physical memory is still pretty low with this setting (<3GB). After rolling back to 10.0.390, the problem is resolved. Environment: OS: Windows 10 Pro 1703 CPU: Ryzen 5 1600 RAM: 16GB Edited July 31, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted July 31, 2017 Administrators Share Posted July 31, 2017 What memory usage do you see in the task manager for ekrn.exe and egui.exe? Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 31, 2017 Share Posted July 31, 2017 9 hours ago, 0xDEADBEEF said: Environment: OS: Windows 10 Pro 1703 Is the OS ver. 32 or 64 bit? Link to comment Share on other sites More sharing options...
cnfcomps 0 Posted August 1, 2017 Share Posted August 1, 2017 I have a customer that also has this problem with 10.1.219.0 on Windows 7 Home Premium x64. Is there an installer available for a slightly older version? Thanks, Matt. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 1, 2017 Author Share Posted August 1, 2017 On 7/31/2017 at 7:46 AM, itman said: Is the OS ver. 32 or 64 bit? 64-bit win10 Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 1, 2017 Author Share Posted August 1, 2017 On 7/31/2017 at 0:38 AM, Marcos said: What memory usage do you see in the task manager for ekrn.exe and egui.exe? ekrn 42,104k, egui 16,404k Attached screenshot sorts the mem consumption from highest to lowest. As you can see, the memory in use (green bar) exceeds 13GB. 10.1.210.2 and 10.1.204.1 have the same issue. ver390 is fine Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 1, 2017 Share Posted August 1, 2017 (edited) 59 minutes ago, 0xDEADBEEF said: Attached screenshot sorts the mem consumption from highest to lowest. As you can see, the memory in use (green bar) exceeds 13GB. Weird. However, the Win 10 build is using CE and that is buggy as hell. My mem. allocation is constant w/ ver. 1607. I would set the Win 10 Min. and Max. virtual memory allocation to the same value, like 2 GB, and see if that makes a difference. Edited August 1, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 1, 2017 Share Posted August 1, 2017 This should resolve who "is the culprit" in regards to in regards to memory usage. Download Process Explorer from here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer . It's a portable app and will run from anywhere. Run it as Admin.. Click on "View." Then click on "Select Columns." Click on the "Process Memory" tab. Select the following: Private Bytes Peak Private Bytes Working Set Size Peak Working Set Size You can keep Process Explorer running or open it up periodically to examine the above "Peak" columns. This should point you to whom the offending processes is. For example on my PC for ekrn.exe, peak private bytes is 244 MB and peak working set size is 352 MB with current private bytes of 45 MB and working set size of 146 MB. Link to comment Share on other sites More sharing options...
elpamyelhsa 0 Posted August 15, 2017 Share Posted August 15, 2017 Had this on two PCs this week NonPaged Pool data is maxing out RAM until Windows becomes unstable No process is claiming the RAM in Microsoft Process Explorer Microsoft Tool RAMMan shows NonPaged Pool 90% of RAM usage (2.9GB on both machines with 4GB RAM) Microsoft tool Poolmem.exe shows the driver issue ESET 10.1.219.0 on Windows 7 Pro one machine 32bit and one x64 On 8/2/2017 at 2:35 AM, itman said: This should resolve who "is the culprit" in regards to in regards to memory usage. Download Process Explorer from here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer . It's a portable app and will run from anywhere. Run it as Admin.. Click on "View." Then click on "Select Columns." Click on the "Process Memory" tab. Select the following: Private Bytes Peak Private Bytes Working Set Size Peak Working Set Size You can keep Process Explorer running or open it up periodically to examine the above "Peak" columns. This should point you to whom the offending processes is. For example on my PC for ekrn.exe, peak private bytes is 244 MB and peak working set size is 352 MB with current private bytes of 45 MB and working set size of 146 MB. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 15, 2017 Administrators Share Posted August 15, 2017 If you suspect memory leaks to be caused by ESET, please generate a complete memory dump as per http://support.eset.com/kb380. When done, compress the dump, collect logs with ELC, upload both archives to a safe location and pm me download links. Link to comment Share on other sites More sharing options...
bsheairs 0 Posted August 21, 2017 Share Posted August 21, 2017 What is the resolution to this post? I recently updated to 10.1.219 and started experiencing the same memory leak. The way I confirmed the issue was ESET, was booting into clean mode, and then slowing turning everything back on. Once I Enabled ESET the memory leak started to appear. I am in the process of acquiring the memory dump logs, although I do not have Complete as the support article suggests. I am running Windows 7 Ultimate 64bit with 12GB of ram. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 22, 2017 Author Share Posted August 22, 2017 The person who originally reported this issue provided the dump: https://1drv.ms/u/s!AkO8JVZQ3apzg1lBNYrnDzsah7PI Hopefully ESET could fix this issue soon. Please let me know if more info is needed. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 22, 2017 Administrators Share Posted August 22, 2017 In safe mode or with Self-defense disabled, import the attached reg file to enable heap tracing for ekrn. Then restart the computer. Make sure that Full dumps are enabled in the advanced setup -> Tools -> Diagnostics. When you notice a high memory use by ekrn, generate a dump via advanced setup -> Tools -> Diagnostics -> Create (dump). When done, collect logs with ELC, upload the zip file to a safe location and pm me a download link. Finally you can disable heap tracing by importing the appropriate reg file. ekrn_heap_tracing.rar Link to comment Share on other sites More sharing options...
elpamyelhsa 0 Posted August 23, 2017 Share Posted August 23, 2017 12 hours ago, Marcos said: In safe mode or with Self-defense disabled, import the attached reg file to enable heap tracing for ekrn. Then restart the computer. Make sure that Full dumps are enabled in the advanced setup -> Tools -> Diagnostics. When you notice a high memory use by ekrn, generate a dump via advanced setup -> Tools -> Diagnostics -> Create (dump). When done, collect logs with ELC, upload the zip file to a safe location and pm me a download link. Finally you can disable heap tracing by importing the appropriate reg file. ekrn_heap_tracing.rar I have had a 3rd PC do this now and captured a memory dump as previously requested. Unfortunately it is 8GB in size but i can share it still if you like. Removing v10, Installing v9 and upgrading to v10 seems to resolve the issue. Previously on another faulting machine, removing v10 and reinstalling v10 would not fix the issue. To do the 'dump' you have requested here i will have to wait for the next machine exhibiting this bug. Working in IT this shouldn't be an issue. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,168 Posted August 23, 2017 ESET Moderators Share Posted August 23, 2017 Hello guys, can you please share the output from the Poolmon utility for us to check? Regards, P.R. Link to comment Share on other sites More sharing options...
elpamyelhsa 0 Posted August 24, 2017 Share Posted August 24, 2017 (edited) 13 hours ago, Peter Randziak said: Hello guys, can you please share the output from the Poolmon utility for us to check? Regards, P.R. Here is a full dump during this issue. https://elpamsoft-my.sharepoint.com/personal/ashley_elpamsoft_com/_layouts/15/guestaccess.aspx?docid=066895d4cc1d045d1af77d429b4c78a75&authkey=AfKbO9rYKljUhOGhmx8Nu7M I will wait for the next PC to come in with this error to provide Poolmon info. Edited August 24, 2017 by elpamyelhsa Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,168 Posted August 24, 2017 ESET Moderators Share Posted August 24, 2017 Hello all, In case you have pool leak please try to run EpfwWfpRegV10.1.3.exe /unreg from an elevated command line and reboot the system. The utility is available at: http://ftp.nod.sk/~randziak/EpfwWfpRegV10.1.3.exe Please let us know if the leaks are fixed after using the utility. @elpamyelhsa thank you for the provided dump file. Thank you, P.R. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 25, 2017 Author Share Posted August 25, 2017 On 8/24/2017 at 1:31 AM, Peter Randziak said: Hello all, In case you have pool leak please try to run EpfwWfpRegV10.1.3.exe /unreg from an elevated command line and reboot the system. The utility is available at: hxxp://ftp.nod.sk/~randziak/EpfwWfpRegV10.1.3.exe Please let us know if the leaks are fixed after using the utility. @elpamyelhsa thank you for the provided dump file. Thank you, P.R. No, the issue still persists Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,168 Posted August 28, 2017 ESET Moderators Share Posted August 28, 2017 Hello @0xDEADBEEF , so far I got only positive feedback on this i.e. after using the utility and system reboot, the issue was solved so in your case it is probably something different. Can you please try the utility once more from the elevated command line, set your system to be able to generate full manual memory dump, reboot the system and if you see the non-paged pool in GiBs again, get the full memory dump, pack it, upload it online and send me a download link so we can check it. Regards, P.R. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 29, 2017 Author Share Posted August 29, 2017 On 8/28/2017 at 8:00 AM, Peter Randziak said: Hello @0xDEADBEEF , so far I got only positive feedback on this i.e. after using the utility and system reboot, the issue was solved so in your case it is probably something different. Can you please try the utility once more from the elevated command line, set your system to be able to generate full manual memory dump, reboot the system and if you see the non-paged pool in GiBs again, get the full memory dump, pack it, upload it online and send me a download link so we can check it. Regards, P.R. We tried again but it still doesn't help. I've sent you the download link of the dump through private message. Link to comment Share on other sites More sharing options...
obiwan 0 Posted September 4, 2017 Share Posted September 4, 2017 I have the same problem Under window 7. The memory fills up. Computer unusable. Useless to recommend downloading an application or anything else, internet access is also down. Only way out is reboot in safe mode and uninstall 10.1.219 by recovery to previous status. This 10.1.219 has clearly a major technical problem that ESET need to fix urgently. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted September 4, 2017 Administrators Share Posted September 4, 2017 2 minutes ago, obiwan said: I have the same problem Under window 7. The memory fills up. Computer unusable. Useless to recommend downloading an application or anything else, internet access is also down. Only way out is reboot in safe mode and uninstall 10.1.219 by recovery to previous status. This 10.1.219 has clearly a major technical problem that ESET need to fix urgently. Did you run "EpfwWfpRegV10.1.3.exe /unreg" as an administrator as instructed above? It should fix callouts registered by very old versions of ESET (v4). The issue should be fixed after the subsequent system restart. Link to comment Share on other sites More sharing options...
cnfcomps 0 Posted September 5, 2017 Share Posted September 5, 2017 I had another customer with the memory leak symptoms and tried out the 'EpfwWfpRegV10.1.3.exe /unreg' solution. It fixed the problem! Thank you very much for posting this. I''ll now try and make appointments with two other customers that were having the same problem and see if it fixes it for them as well. Matthew Green. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted September 5, 2017 Administrators Share Posted September 5, 2017 We're going to release v11 with a fix to the issue soon. Link to comment Share on other sites More sharing options...
obiwan 0 Posted September 7, 2017 Share Posted September 7, 2017 On 9/4/2017 at 10:30 PM, Marcos said: Did you run "EpfwWfpRegV10.1.3.exe /unreg" as an administrator as instructed above? It should fix callouts registered by very old versions of ESET (v4). The issue should be fixed after the subsequent system restart. Once I understood that you meant to run it BEFORE the installation of 10.1.219, yes I did. After the installation it's impossible as the computer is almost totally frozen and has no internet access. And yes it fixed the problem. Thank you. Just one suggestion: include a cleanup of the registry from all previous version's garbage, by default, in any installation of a new version. it would save a lot of trouble and waste of time to customers. Thanks again for the fix ! Link to comment Share on other sites More sharing options...
Recommended Posts