Analyze Windows memory usage with RAMMap

• Author
• Recent Posts

Leos Marek

Leos has started in the IT industry in 1995. For the past 15+ years he focused on Windows Server, VMware administration and security. Recently, Leos is focusing on automation via Ansible. He is also a Certified Ethical Hacker.

Latest posts by Leos Marek (see all)

• AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
• Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
• Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023

Apart from hardware failure, two scenarios are the most common when we speak about memory issues. Either the overall system memory usage is too high (in other words, there is low or no free memory), leading to poor system performance, or the memory usage of a single application (process) is too high, leading to poor application performance. Both cases can be troubleshooted by tools from the Sysinternals suite—RAMMap for the first case and VMMap for the second. Today, I will show you how to use RAMMap to analyze Windows memory usage. Single-process analysis using VMMap will be covered in a separate post.

RAMMap is an advanced physical memory analysis tool. It focuses on memory as a system-wide resource shared by all processes. It allows you not only to analyze memory usage but also to empty specific parts of the memory when needed. RAMMap has seven tabs, each showing a different RAM perspective, including allocation type, per-process usage, file memory usage, and more. It has only a single executable file that works in both 32- and 64-bit versions of Windows. Administrative rights are required to run the tool.

Use counts

The Use Counts tab shows RAM by allocation type and page list. The table columns and the graph above them show how much RAM is allocated in different page lists. The RAM allocation types are presented in the table rows and the graph on the left side.

The Use Counts tab shows RAM by allocation type

The main page lists shown are as follows:

• Active—Memory that is immediately available for use. It is already in the working set of a user or system process (or processes), as well as a nonpaged pool and AWE locations.
• Standby—Memory in cache that has been removed from a working set but can be repurposed without incurring a disk I/O.
• Modified—Memory that has been removed from a working set and has already been modified but not yet written to disk. It can only be repurposed by the same working process it was removed from; otherwise, it must be written to disk before reuse.
• Zeroed—Memory initialized with all zeroes. It is available for allocation.
• Free—Memory not in use and not initialized to zeroes. It is available for allocation if initialized from a disk read. If needed, the memory manager can zero pages from free memory before giving them to a user process.

The main memory allocation types shown are:

• Process Private—Can be used by a single process only.
• Mapped File—Represents a file on disk, such as executables and DLLs. It is shareable memory.
• Shareable—Memory that can be shared by multiple processes and paged out to a disk.
• Paged Pool—Kerner-allocated memory that can be paged out to a disk.
• Nonpaged Pool—Kernel-allocated memory that must always remain in physical memory.
• Session Private—Memory allocated by session drivers (e.g., keyboard, mouse) for use by a terminal services session.
• Metafile—Memory that represents file system metadata, such as the MFT table.
• Driver Locked—Memory allocated by a driver and charged to system commit. Microsoft Hyper-V uses driver-locked memory to provide RAM to virtual machines.
• Unused—Memory not in use.

Processes

The Processes tab shows the list of all processes and RAM pages associated with each process. The Private column shows the amount of process private RAM allocated on the Active page (shown on the Use Counts tab). The Standby and Modified columns represent the same values as the Use Counts tab. The Page Table is a summary of kernel-mode allocated pages for the process.

The Processes tab shows memory usage for each running process

Priority Summary

This tab shows the amount of RAM in the Standby allocation type sorted by priority. Standby memory can be reused by the working set it was released from or repurposed to satisfy new allocation requests, as shown in the Repurposed column. If you see high repurposed numbers for priority 5 and higher, the system is or was under high memory load. Adding more RAM to the system should be considered.

Priority Summary of standby memory

Physical Pages

The Physical Pages tab shows individual memory pages. Each memory page has a size of 4 kilobytes. For each memory page, you can see the list it belongs to, what the page use (allocation) type is, its priority, and a file name if that page contains a mapped file. This type of information is very advanced. It is normally not needed for an administrator but rather for a programmer. You can use CTRL+F here to search for a specific file name, or use a filter at the bottom.

Physical Pages show advanced page information

Physical Ranges

The Physical Ranges tab shows valid ranges of RAM memory. Again, this kind of information is not usually needed when troubleshooting a performance issue. Discontinuities in the sequences normally indicate memory assigned to a device, such as a graphical card memory for CPUs with a graphical processor inside.

File Summary

The File Summary tab lists the path to every mapped file that has allocated RAM. Here, you can see the total amount of RAM used, how much is Active, Standby, and so on. There are various reasons why Windows can map files into the memory: executables and DLL files are mapped when they need to be loaded, the cache manager can map files when the application performs caches I/O on it, etc.

The File Summary page lists all files that have allocated RAM

This tab can significantly help you when troubleshooting memory issues. For example, when troubleshooting a single application, you can simply sort the list by path name and search for your application installation path. Then, you can see which files are loaded in the memory and how much they are allocated. You can also use CTRL+F to search for a specific file or path.

File Details

Similar to the File Summary tab, the File Details tab lists all files loaded in the RAM and the total amount of RAM occupied. If you click the plus icon, it will show all physical pages that the file occupies.

Empty physical memory

As mentioned at the beginning, RAMMap allows you not only to analyze RAM usage, but can also empty specific portions of RAM. This can be useful for measuring application RAM usage after an application has started, or after testing specific actions inside the application. The Empty menu offers the following options:

• Empty Working Sets—Clears all user and system working sets (active memory) and moves the data to Standby or Modified pages
• Empty System Working Set—Clears the system cache working set
• Empty Modified Page List—The Flushed Modified page list and writes unsaved data to disk
• Empty Standby List—Purges the Standby pages and moves them to the Free pages.
• Empty Priority 0 Standby List—Same as the Empty Standby List, but purges only pages of the lowest priority

Capture the data to a file

RAMMap can also capture all RAM details in a file for later use or for analysis on a different computer. You can save the data from the tool's File menu, as well as from the command line. To capture the data from the command line, use the following command:

rammap.exe myfile.rmp /accepteula

To open the result file from the command line, use:

rammap.exe -o myfile.rmp

Final words

Troubleshooting memory issues is not always an easy, straightforward task. In this post, you learned how to use RAMMap to do basic memory analysis. You may find more detailed information on how memory management in Windows works in publications mentioned in the RAMMap documentation. In addition, you can watch this old but still very handy video guide.