RamMap "zombie" processes?

[huyz]

RamMap shows that I currently have a huge Page Table of several GBs; looking at the Processes, sorting by name, as suggested by https://superuser.com/questions/782855/why-does-my-page-table-take-up-so-much-memory/1499539#1499539 , reveals that I have thousands of sshd.exe, pwsh.exe, cmd.exe, conhost.exe, docker.exe, com.docker.cli.exe leftover processes.

Would it make sense for these to show up in ObjectExplorer too?

[zodiacon]

Yes, these would show in System/Zombie Processes (most likely)

[huyz]

Ah ok, well only a few are showing up when I'm expecting thousands. Hmm, I wonder why that is.

[zodiacon]

It's possible (although rare) that the processes are held alive because of kernel references rather than handles. Object Explorer looks for handles to processes who are "dead" as far as code execution is concerned. Also check out "Zombie threads" - these might keep zombie processes alive.

[huyz]

Yeah they're not in Zombie threads either.

I don't know enough about kernel internals to know how kernel references relate to the Page Table, but certainly these processes are preventing the Page Table from shrinking from 14GB to 50MB in my case.

[zodiacon]

Something else may be going on here. Best to generate a kernel dump and investigate.

[huyz]

This thread gives more details: https://learn.microsoft.com/en-us/archive/msdn-technet-forums/0b610346-fc53-4b39-8cfd-9737d265c3f4

This issue normally happens due to Zombie Processes. Some process does not destory the process handle to another process when it exits. That orphan process handles takes Memory and shown in the RAMMAP with 20KB Total size. Normal way to troubleshoot the issue is take a Memory Dump and analyse the dump in Windbg.

This is an age-old problem with Windows apparently.