All Products
Document Center

Introduction to Windows memory analysis tools

Last Updated: Dec 15, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.



Microsoft provides a variety of tools to analyze memory usage in Windows, including the built-in Task Manager, Resource Manager, Performance Monitor), sysonals, such as RAMMap and lmon, can also be used to analyze memory problems. This article briefly introduces how to use these tools. For more information, see related Microsoft links.



Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

The following steps describe how to use the following tools.

Tips: This article is for reference only when you use Windows ECS instances. The Microsoft official link referenced in this article belongs to Microsoft. Please note the scope of operating systems applicable to the article, as well as possible problems caused by Microsoft Windows product iteration or delayed document update. Alibaba Cloud is not officially responsible for the reference of Microsoft official links.


Task Manager

In Windows, you can use the task manager to monitor the memory and display detailed memory usage processes. In particular, when checking the virtual memory usage in performance, you can view the usage by using the committed Bytes and Commit Limit statements. If the submitted virtual memory is very close to the upper limit, the system will have performance problems.


Windows 2008 R2

  1. Open the Task Manager, click performance through the task manager to view memory usage.
  2. You can also add various types of memory metrics for inspection. Open the Task Manager and select view in sequence > Select columns to add various memory metrics. Specifically, add memory-working set (check the physical memory usage of the process) and memory-submission size (non-reserved virtual memory space).


Windows 2012

Open the Task Manager, click performance through the task manager to view memory usage.


Resource Monitor

Task Manager allows you to open a Resource Manager to further check memory usage, especially for each process. Focus on each process. Submit (KB) memory size, used to monitor whether any process consumes too many resources.

The use of physical memory includes the following parts.

  • The memory reserved for the hardware.
  • Memory in use: the memory used by processes, drivers, and operating systems.
  • Modified memory: the content must be written to the disk before it can be used for other purposes.
  • Backup memory: memory that contains unused cache data and code.
  • Available memory: memory that is not included in any valuable data and is used first when processes, drivers, and operating systems require more memory.
  • Cache: When a file is opened, the system stores the file in the cache so that it can be quickly read and written next time. Windows 2008 R2 and later versions also restrict the use of this cache. Some physical memory is not cached to ensure that even if the cache is too large, physical memory is also available to meet the application requirements.


Performance Monitor

Performance Monitor is an important tool for Windows to Monitor and collect system resource consumption.

  1. To monitor performance consumption, you can add a specified counter to check the system resource consumption in real time.
  2. In addition, you can also select data collection collection in turn > User-defined, manually add various counters such as Logical Disk, Memory, System, Processor, and Process to collect the real-time running status of various System resources, and define the collection frequency by sampling interval. For example, if a memory leak occurs for a long time before it recurs, you can set the sampling interval to 5 seconds. If the machine is prone to CPU exceptions, you can set the sampling interval to 1 second.


RAMMap and Process Explorer


Sometimes you cannot view the processes that consume abnormal memory in the monitoring window of the task manager, but the physical memory displays the status of the loaded process. This is typically due to memory usage at the underlying layer of the system. You can use RAMMap to view the system memory usage. This tool is Microsoft's official software. For more information, see RAMMap. Open RAMMap to view the memory usage of the system that is not displayed in task manager.


Process Explorer

Process Explorer allows you to view the detailed resource usage of a Process. For example, you can view the memory usage of a Process after the Process is enabled.


Pool Monitor

For the WIndows kernel, the two core memory resources are non paged pool (non-page buffer pool) and paged pool (page buffer pool). The operating system is experiencing memory performance problems, which may be due to the consumption of the above two resources. Although the preceding tools can be used to view resource consumption, use lmon to locate the system Tag that consumes resources. For more information, see PoolMonitor.


Check the perfmon log to find out which Pool Tag causes the resource to run out. For example, if the IoDn Tag causes the resource to run out, use the following command to locate SafeDogFileGuard.sys, and then solve the problem by modifying the application.

findstr /m /1 IoDn *.sys

The following command output is returned.


Application scope

  • ECS