Memory usage of 500Mb+ by cmdagent [M366]

Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (7.0.313494.4115)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Thank you.

PM sent.

CIS 7.0.317799.4142
Win XP x64

500+ MB?
take a lok at that! 8)

Thank you for checking this. I have updated the tracker.

Looks like memory leak to me. After a restart (Can’t have a program eat 16GB of my RAM) the usage grows steadily. Now, at almost 4 days up time, the usage is ~2400 MB.

Thanks. I’ve updated the tracker with the updated information.

HackAR, if you don’t mind, could you follow the advice given here and make a Complete Memory Dump when the memory usage is very high. If you have any questions at all please let me know.

Thank you.

Complete memory dump is not an option. This would include several crypt keys, I’m not willing to submit to anyone :wink:
May I offer any other help? VS2010 is installed. I might try a debugging tool of your choice also.

P.S. 5d 05h uptime: ~3300 MB usage.

In that case please follow the steps on this page.
Please do not overlook the additional note just before the ‘licence’ heading as it may be important.

Also, note that you will need to rename cmdguard.sys and reboot before attaching the debugger. This is because cmdguard protects the memory of CIS from access in V7. This may also then require running the diagnostics program and allowing it to think it has fixed the problem, and possibly a second reboot after running diagnostics too. This is not entirely clear as I have not tested it.

If you run into trouble while trying to use this mouse1 may be available to help within the next couple of days. However, at the moment neither of us has entirely tested this entire procedure. Let me know how it goes, but if it’s too frustrating it’s best to wait until mouse1 better understands all steps of the procedure.

Thank you.

Ok, I got parts of Windows SDK 7.1 installed, including Debugging Tools. I will try to follow the procedure later, since it requires a reboot. It might take few days, but I’m on it :slight_smile:

Hi I have just checked how to disable cmdagent memory protection in V7. This should allow the debugger to be attached.

The easiest way is to go into Killswitch and look on the drivers list for cmdguard.sys, and set the startup type to disabled, then reboot. To reverse set it back to the original startup type (system start) and reboot. (You can also rename the file in System32\drivers and reboot, but this is a bit more fiddly).

Unfortunately this will disable the auto-sandbox - but you could use HIPS in safe mode to provide protection instead. If you do you will need to make the debugger an exception under HIPS Rules ~ Comodo Internet Security Group ~ Edit ~ Protection tab ~ Memory access ~ Modify ~ Exclusions.

If the leak does not occur with cmdguard.sys disabled, then it must be in a routine which interacts with cmdguard, which will itself help the devs to find it.

BTW do you use any Oracle software - I remember a memory leak that only occurred in the presence of a bit of Oracle software - some version of the database I think?

Oracle? Like Java? Yes, I use Java. The DB I use is PostgreSQL. Wouldn’t touch any Oracle DBs…

Weird… Killswitch won’t start. Crashes after “Starting…” without notification. I did use it previously on this system though.

Btw, after crossing the 4 GB, the usage dropped by about 3.9 GB, but private (reserved) memory is still 4+ GB. And both are rising :slight_smile:

Sorry about this, if you have a dump file please report it as a separate bug.

You should be able to use Process Hacker instead: http://processhacker.sourceforge.net/

Don’t think it affected Java. Not sure about PostgreSQL - does it share drivers with Oracle at all?

Ok. Restarted the system and now waiting for memory usage to grow.
What info do you need? Without debug symbols the available info will be limited though.

Please follow the intsructions in the link quoted below:

You should end up with proof of the leak and an indication of the function etc.

What I have done:

  1. I could start the Killswitch. It still crashed, not at start but after 15-20 sec. So I could deactivate the guarding service.
  2. I followed the instructions and after another restart attached WinDbg to the cmdagent.exe process.
  3. While WinDbg was attached (for several hours) CIS seemed to be frozen (at least the GUI part). No issues with Internet were noticed. The memory usage was frozen also, not even little fluctuations.
  4. I closed the WinDbg. The CIS reactivated and showed me a dialog (about Internet access for a program) which should have been shown little time ago, i think.
  5. The memory usage begun to rise slowly.

I will give it some time and reattach WinDbg again and take a look at the heap.
Btw, since I don’t have the debug symbols, I don’t think it’ll show me what function is causing it. But I’ll post whatever I get :slight_smile:

I guess I got something:

  1. “!heap -stat -h” includes lots of heap stacks. but I think this is the one we’re looking for, since it has got lots of used blocks:

Allocations statistics for
 heap @ 0000000008dd0000
group-by: TOTSIZE max-display: 20
    size     #blocks     total     ( %) (percent of total busy bytes)
    f8 26cea - 25982b0  (71.86)
    5c 23123 - c9a894  (24.09)
    58 1d5d - a17f8  (1.21)
    6e 172e - 9f5c4  (1.19)
    138 30b - 3b568  (0.44)
    66 4f4 - 1f938  (0.24)
    9c 2db - 1bd74  (0.21)
    150 11a - 17220  (0.17)
    fa00 1 - fa00  (0.12)
    8a 1bf - f0f6  (0.11)
    2c8 36 - 9630  (0.07)
    10f8 5 - 54d8  (0.04)
    32d8 1 - 32d8  (0.02)
    1000 3 - 3000  (0.02)
    72 4c - 21d8  (0.02)
    201a 1 - 201a  (0.01)
    ae 20 - 15c0  (0.01)
    800 2 - 1000  (0.01)
    300 5 - f00  (0.01)
    180 a - f00  (0.01)

  1. “!heap -flt s f8” gives uncountable number of:

  0000000015e0bfa0 0013 0013  [07]   0000000015e0bfb0    000f8 - (busy)
    ? cmdstat!DllInstall+19b9c0

and “!heap -flt s 5c”


  0000000016210540 0009 0009  [07]   0000000016210550    0005c - (busy)
    ? cmdstat!DllInstall+264718

  1. Call stack is not available, since no debug symbols are available, i guess. “!heap -p -a 0000000015e0bfb0”:

    address 0000000015e0bfb0 found in
    _HEAP @ 8dd0000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        0000000015e0bfa0 0013 0000  [07]   0000000015e0bfb0    000f8 - (busy)
          ? cmdstat!DllInstall+19b9c0

Anything else?