4

Looking for a memory leak I recently noticed that the Virtual Memory value reported by Process Explorer (procexp.exe by Microsoft/Sysinternals v16.26) is very high - like about 2.1TB where my laptop has 32GB RAM running Win 10Pro X64. Here for example, it reports that the virtual memory size of a Chrome.exe process is 2,151,819,136 KB. Any idea what may be causing that?

enter image description here

Dror Harari
  • 3,076
  • 2
  • 27
  • 25
  • 1
    This is an expected side effect of programs being compiled with [Control Flow Guard](https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard). – that other guy Jul 05 '19 at 22:43

1 Answers1

5

Thanks that-other-guy for the tip.

As Alex Ionescu explains in his post (How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes), High Entropy ASLR (HEASLR), Top-down Randomization and Anonymous Memory Randomization causes the high virtual address to be used and as such the process virtual address space hovers around 2TB.

The figure below from Alex's post shows how all programs built with /CFG have their virtual memory size at 2TB:

enter image description here

Dror Harari
  • 3,076
  • 2
  • 27
  • 25
  • 1
    How does this effect processes that run on Mono in Linux? I have seen processes that get killed because of the excessive usage of virtual memory. – Martin Sep 02 '20 at 07:57
  • 1
    It should have no impact on Mono in Linux as this is purely an artifact of the OS behavior that does not mean more virtual memory is used (other than in the size of the memory table) only higher addresses are used. – Dror Harari Sep 03 '20 at 21:27