Dude, where’s my RAM? (aka ShellExperienceHost steals my stuff)

So, there I was at my computer one night and I realized “wow, this thing is slow, wth”. No really, that’s what happened, scouts honor.

So I fired up TaskManager, my favorite level 1 triage tool.

taskman.png

And ZOINKS yo! (as Jay from Jay and Silent Bob fame is wont to say)

1.8GB of RAM. Not, like, stuff anywhere, but code in my RAM. Now granted, I have 24GB installed, but still. Why do bro?

So why is this happening? Let us discover why, on a vision quest-esque journey through Windows….

To find out what is going on, we need the PID, luckily for us, it’s right in front of us;

pid.png

Ok, so what are we going to do with that?

rammap1.png

We are going to check out the process and see what is going on here…

With VMMAP. Why? Dunno. Lets see.

heap.png

Ok so we attached VMMAP to the process, we see it’s all heap. The reason I did this, really, is because I had a pseudo-morbid curiosity that it might be META, but it’s heap. Okie, so spewage. Swell. Why? Dunno.

In comes Debug Diag 2.2

dd1.pngWhy yes Mr DebugDiag2.2, we want to analyze, (I hit cancel here btw)

dd2.png

Find the PID, create a dump for later perusal, why not.

dd3.png

Yay!

For fun I check strings on the process…w…t…h..strings.png

Apparently MeowMix took over my process….

whatevar.png

I right click, and tell DebugDiag to create a series of dumps on the process, start with a full, end with a full, make 8 dumps, 10 seconds apart. Ok? Ok!

working.png

Now we’re cookin with gas!

proof.png

Hey look, dumpage!

analysis.png

Now I fire up the easy button. Do you have an easy button? Mine is named “DebugDiag 2 Analysis”.

anal1.png

I check “PerfAnalysis” cause it’s a series of dumps, and leaktrack would not insert so it’s not present to track on.

anal2.png

Add the dumps, and start (assuming you have a valid symbol path, I do).

Ok, so why are we taking up 1.8 GB of ram for a suspended process in Windows?

I hate to say it, I really do. Cause I like these guys, but it looks like it might be Nvidia….

derp.png

DebugDiag’s report is a clarion call from on high. Update yo drivers sir!

Someone already bitched, and they bitched August 1st.

NVIDIA Drivers hanging Outlook

Someone did my work for me. They have the same stacks complaining, just different Thunks. Thunk!

You ain’t thunk, you ain’t nothin!

Anyway I was on 384.94 courtesy of WU, 385.28 released 8/14. A little behind. But still my problem persists….after updating.

 

Sigh… maybe someday I can has my RAM back?

nvwgf2umx_cfg!NVAPI_Thunk+9ce75
nvwgf2umx_cfg!NVAPI_Thunk+d001a
nvwgf2umx_cfg!NVAPI_Thunk+7b736d

kinda reads like a haiku….a haiku of eating my ram….or maybe Windows needs 2GB now to display the shell? The world may never know.

This post brought to you by the gram positive cocci that put me in the hospital last week.

Leave a comment

Your email address will not be published. Required fields are marked *

Exit mobile version