I have my Windows 10 bluescreen several times and I have memory dump and running !vm
produces output below showing 0 available PTEs. How do I find out postmortem who leaked those or monitor on live system which process/driver responsible for leak?
0: kd> !vm
Page File: \??\C:\pagefile.sys
Current: 9961472 Kb Free Space: 9961464 Kb
Minimum: 9961472 Kb Maximum: 62351824 Kb
Page File: \??\C:\swapfile.sys
Current: 16384 Kb Free Space: 16376 Kb
Minimum: 16384 Kb Maximum: 49881460 Kb
No Name for Paging File
Current: 129378408 Kb Free Space: 129362880 Kb
Minimum: 129378408 Kb Maximum: 129378408 Kb
Physical Memory: 16756646 ( 67026584 Kb)
Available Pages: 11876350 ( 47505400 Kb)
ResAvail Pages: 15917045 ( 63668180 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 0 ( 0 Kb)
********** Running out of system PTEs **************
Modified Pages: 249289 ( 997156 Kb)
Modified PF Pages: 249261 ( 997044 Kb)
Modified No Write Pages: 25 ( 100 Kb)
NonPagedPool Usage: 3042 ( 12168 Kb)
NonPagedPoolNx Usage: 103383 ( 413532 Kb)
NonPagedPool Max: 4294967296 (17179869184 Kb)
PagedPool 0: 144048 ( 576192 Kb)
PagedPool 1: 31595 ( 126380 Kb)
PagedPool 2: 31923 ( 127692 Kb)
PagedPool 3: 31631 ( 126524 Kb)
PagedPool 4: 31714 ( 126856 Kb)
PagedPool Usage: 270911 ( 1083644 Kb)
PagedPool Maximum: 4294967296 (17179869184 Kb)
Processor Commit: 1348 ( 5392 Kb)
Session Commit: 17782 ( 71128 Kb)
Shared Commit: 658461 ( 2633844 Kb)
Special Pool: 0 ( 0 Kb)
Kernel Stacks: 26919 ( 107676 Kb)
Pages For MDLs: 395401 ( 1581604 Kb)
Pages For AWE: 0 ( 0 Kb)
NonPagedPool Commit: 97838 ( 391352 Kb)
PagedPool Commit: 270911 ( 1083644 Kb)
Driver Commit: 19721 ( 78884 Kb)
Boot Commit: 2732 ( 10928 Kb)
PFN Array Commit: 196913 ( 787652 Kb)
System PageTables: 3267 ( 13068 Kb)
ProcessLockedFilePages: 306 ( 1224 Kb)
Pagefile Hash Pages: 0 ( 0 Kb)
Sum System Commit: 1691599 ( 6766396 Kb)
Total Private: 4330147 ( 17320588 Kb)
Misc/Transient Commit: 9281 ( 37124 Kb)
Committed pages: 6031027 ( 24124108 Kb)
Commit limit: 19247014 ( 76988056 Kb)
Pid ImageName Commit SharedCommit Debt
598c vmmem 3677256 Kb 0 Kb 0 Kb
4d4 RemoteDesktopManager.exe 1367276 Kb 473008 Kb 0 Kb
6300 vmmem 1050684 Kb 0 Kb 0 Kb
207c vmmem 1050684 Kb 0 Kb 0 Kb
1d18 vmmem 1050684 Kb 0 Kb 0 Kb
276c powershell.exe 713052 Kb 4660 Kb 0 Kb
483c chrome.exe 635112 Kb 130192 Kb 0 Kb
3ad4 chrome.exe 525988 Kb 20672 Kb 0 Kb
From Russinovich, Mark; Solomon, David; Ionescu, Alex. Windows Internals, Part 2 (6th Edition) (Developer Reference)
you can enable system PTE tracking by creating a new DWORD value in the HKLM\ SYSTEM\ CurrentControlSet\ Control\ Session Manager\ Memory Management key called TrackPtes and setting its value to 1. You can then use !sysptes 4 to show a list of allocators
So you could try to
livekd
on the running system and execute !sysptes 4
to get al list of allocators!sysptes 4
on a dump you collect