Several users have complained on Reddit and other windows forums about memory leaks related to ntoskrnl.exe. These users have reported extensive RAM and CPU usage brought by this system file or related to it. Those with extreme cases have said that they have experienced BSODs (Blue Screen of Death) brought about by memory dumps.
This article will tell you how memory management works on Windows and what ntoskrnl.exe is and what it does. We will then give you reasons as to why ntoskrnl.exe consumes a lot of memory space and the remedy to this.
What is Ntoskrnl.exe and what does it do?
Windows 10 is a large operating system, but how does it handle memory operations so well? This can be owed to the ntoskrnl.exe memory handler. Ntoskrnl.exe (Short for Windows NT operating system kernel) otherwise known as kernel image, is a system application file that provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler.
That is why Ntoskrnl.exe is such a protected system file. The system protection means it will not easily get deleted or corrupted.
This is how memory management works. A task is loaded to the memory (RAM) along with the program that will execute this task. This is the fetch part. The CPU decodes it, executes the task and records the results to the memory which might later get recorded to the disk by the loaded program. The execution part will have access to several devices including GPU, CPU, Disk Space (ROM or HDD, SSD etc.), Network Devices and many more devices depending on the task being executed. When the program is closed, it is unloaded from the memory (RAM) along with the data it was processing. The space is now freed for use by other tasks.
Reasons why Ntoskrnl.exe consumes a lot of Disk Space, Memory and CPU
If ntoskrnl.exe manages memory, then why does it consume all the memory and a whole lot of CPU? Here are the known reasons as to why this occurs. Severe cases are usually caused by memory leaks caused by hardware and malware.
New Compressed Memory on Windows 10
What makes Windows 7 so fast? The answer is in the new ntoskrnl.exe feature. The excessive memory consumption was built into windows 10 unlike other operating systems. Microsoft has explained this severally to Windows users.
Following the release of Windows 10 Build 10525, Microsoft had this to say: In Windows 10, we have added a new concept in the Memory Manager called a compression store, which is an in-memory collection of compressed pages. This means that when Memory Manager feels memory pressure, it will compress unused pages instead of writing them to disk. This reduces the amount of memory used per process, allowing Windows 10 to maintain more applications in physical memory at a time. This also helps provide better responsiveness across Windows 10. The compression store lives in the System process’s working set. Since the system process holds the store in memory, its working set grows larger exactly when memory is being made available for other processes. This is visible in Task Manager and the reason the System process appears to be consuming more memory than previous releases.
The large memory use is therefore kind of something Windows 10 has been built to do but can sometimes be mistaken as a memory leak. Windows 10, sacrifices memory in exchange for speed. Instead of writing pages into your HDD, it compresses the pages on the RAM. This makes Windows 10 faster than previous versions because reading compressed data from the computer’s RAM is faster than reading it from the HDD then loading into the RAM. This had already been part of the Linux operating system before Windows adopted it. The more applications you open, the more memory will be used. This in turn means CPU usage will go up.
Bad or outdated Device Drivers
When communicating to and from devices e.g. network cards, keyboards, and graphic cards among others, ntoskrnl.exe sends and receives data via the device drivers. The received data is then written into the RAM and awaits execution.
In the case of a faulty device drivers, the drivers may continuously send data to the ntoskrnl.exe memory handler and manifest itself as a memory leak. The bad driver might also be writing data into the memory space owned by ntoskrnl.exe. This data is continuously written into the memory hence piling up and filling the RAM. This calls for more CPU usage to handle all this data. For previous versions of Windows where ntoskrnl.exe used disk space for pages, this means your disk space will fill up pretty quickly.
This issue is very common for users that have updated their operating system from windows 7 or 8.1 to windows 10. The drivers might not be compatible with windows 10, therefore causing memory leaks. The outdated “Killer Network Drivers” has been reported to be a cause of memory leaks on windows 10.
Malware and viruses
Be careful of shareware and freeware distributed online. They might intentionally embedding themselves into the ntoskrnl.exe system file or hijack the function of this file leading to memory leaks. It might also alter they registry of the executable. This means that ntoskrnl.exe does not continue to work as expected. Since malware is intended to harm your computer, it will allow streaming in of data into the RAM but not allow anything out. The virus might be also be actively writing into the memory space owned by ntoskrnl.exe. This fills up your memory and leads to lots of CPU usage. Pages saved to the HDD might fill up your storage.
When ntoskrnl.exe detects that there is too much in the memory and there is nothing more that can go in, “it panics.” In a bid to salvage the situation, it dumps the memory along with the all other windows files. The result is a Blue Screen of Death (BSOD). The same thing happens when it detected that something is continuously violating its memory space.
There might also be a sudden system shutdown because of overheating of the CPU brought on by excessive activity. In order to prevent the CPU from frying, the computer shuts down in so that it can cool.
Corrupt Ntoskrnl.exe system file
Ntoskrnl.exe is a well-protected system file that hardly crushes or gets corrupt. However, if it does get corrupt, ntoskrnl.exe will malfunction and not know what and when to write into the RAM or what and when to free the RAM space. This might lead to piling up of data and memory pages leaving the CPU working extra hard to manage this memory space. Your HDD might fill up for the same reason.
How to fix excess memory usage caused by ntoskrnl.exe in windows 10
If you are suddenly start experiencing memory leaks then you might be a victim of malware or a virus. If your memory leaks begin after a windows update or installation of a new device, it might be because of bad or outdated device drivers.
Here are some fixes to ntoskrnl.exe consuming a lot of memory space.
Repair Corrupt System Files
Download and run Reimage Plus to scan and restore corrupt and missing files from here, once done proceed with the solutions below. It is important to ensure that all system files are intact and not corrupt before proceeding with the solutions below.
Method 1: Update your drivers
It is worth to note that after updating to windows 10, graphics and network drivers might be the first bet for the cause of your memory leak. This is common in PCs using “Killer Network Drivers.” To update your drivers:
- Hold the Windows Key and Press R. Type hdwwiz.cpl and Click OK
- Go to the Drivers tab and click on “Update Drivers”
- Select the automatic option to find and install updated drivers from the internet
- Restart your PC
Method 2: Run antimalware and antispyware applications to scan your system
It is a good practice to have malware scanners on your PC. Here is one that works well and is recommended.
- Download Spybot from here or Malwarebytes from here.
- Install the software and run a scan
- Fix all arising issues
- Restart your computer
Method 3: Disable Runtime Broker
Recent discussions on Reddit strongly suggest that Runtime Broker is one system process which often consumes a large portion of CPU cycles, due to its poor memory optimization. This causes high CPU usage and memory leaks.
You can disable Runtime Broker by:
- Go to Start Menu and open the Settings app
- Open System > Notification and Actions
- Deselect the option “Show me tips about Windows” or “Get tips, tricks and suggestions as you use Windows”
- Restart your PC
- Open notepad
- Copy and paste these keys into notepad
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimeBroker] “Start”=dword:00000003 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysMain] “DisplayName”=”Superfetch” “Start”=dword:00000003
- Go to file and then Save as
- Save it as whichever_name_you_choose.reg
- Run the file as an administrator and accept/confirm registry changes
- Restart your PC
Method 4: Changing Registry Settings
There are certain settings which in the registry which can be edited to provide better performance. In order to adjust the registry configurations:
- Press the “Windows” + “R” keys simultaneously.
- Type in “regedit” and press “enter”.
- Navigate to the following address
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Session Manager>Memory Management
- Double click on the “Clear Page File Shutdown” registry in the right pane.
- Change the “Value Data” to “1” and click on “OK“.
- Restart your computer and check to see if the issue persists.
Always keep your antimalware and antispyware up to date. Check for device drivers updates regularly. The device manufactures continuously update their driver definitions to solve issues and improve functionality. If none of the above works for you then it would be worth trying the suggested steps at system and compressed memory