Several users have complained on Reddit and other Windows forums about memory leaks associated with ntoskrnl.exe. They have reported high RAM and CPU usage caused by this system file. In extreme cases, some users have stated that they have experienced BSODs (Blue Screen of Death) due to memory dumps.
This article will explain how memory management works on Windows and define ntoskrnl.exe – its functions and operations. We will then provide reasons as to why ntoskrnl.exe consumes a significant amount of memory space and offer solutions to this problem.
What is Ntoskrnl.exe and what does it do?
Windows 10 is a large operating system, but how does it handle memory operations so well? This can be owed to the ntoskrnl.exe memory handler. Ntoskrnl.exe (Short for Windows NT operating system kernel) otherwise known as kernel image, is a system application file that provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler.
That is why Ntoskrnl.exe is such a protected system file. The system protection means it will not easily get deleted or corrupted.
This is how memory management operates. A task, alongside the program set to execute it, is loaded into the memory, or RAM. This constitutes the fetch part. The CPU decodes the task, executes it, and records the results back to the memory. This data may later be recorded to the disk by the executing program. During execution, the task may access various devices including the GPU, CPU, Disk Space (ROM or HDD, SSD etc.), Network Devices, and many others depending on the specific needs of the task. When the program is ultimately closed, it is unloaded from the memory along with any data it was processing. This frees up space for other tasks to utilize.
Reasons why Ntoskrnl.exe consumes a lot of Disk Space, Memory and CPU
If ntoskrnl.exe manages memory, then why does it consume all the memory and a significant amount of CPU? Here are the known reasons why this occurs. Severe cases are usually caused by memory leaks, which are due to hardware and malware.
New Compressed Memory on Windows 10
What makes Windows 7 so fast? The answer lies in the new ntoskrnl.exe feature. Excessive memory consumption was built into Windows 10, unlike other operating systems. Microsoft has explained this several times to Windows users.
Following the release of Windows 10 Build 10525, Microsoft had this to say: In Windows 10, we have added a new concept in the Memory Manager called a compression store, which is an in-memory collection of compressed pages. This means that when Memory Manager feels memory pressure, it will compress unused pages instead of writing them to disk. This reduces the amount of memory used per process, allowing Windows 10 to maintain more applications in physical memory at a time. This also helps provide better responsiveness across Windows 10. The compression store lives in the System process’s working set. Since the system process holds the store in memory, its working set grows larger exactly when memory is being made available for other processes. This is visible in Task Manager and the reason the System process appears to be consuming more memory than previous releases.
The large memory usage is therefore somewhat expected in Windows 10 since it has been designed to operate in this manner. However, it can sometimes be mistaken for a memory leak. Windows 10 sacrifices memory in exchange for speed. Instead of writing pages into your HDD, it compresses the pages on the RAM. This makes Windows 10 faster than previous versions because reading compressed data from the computer’s RAM is quicker than reading it from the HDD and then loading it into the RAM. This function was already a part of the Linux operating system before Windows adopted it. The more applications you open, the more memory is used. Consequently, this means the CPU usage will increase.
Bad or outdated Device Drivers
When communicating to and from devices e.g. network cards, keyboards, and graphic cards among others, ntoskrnl.exe sends and receives data via the device drivers. The received data is then written into the RAM and awaits execution.
In the case of faulty device drivers, the drivers may continuously send data to the ntoskrnl.exe memory handler, manifesting as a memory leak. The faulty driver might also be writing data into the memory space owned by ntoskrnl.exe. As this data is continuously written into the memory, it piles up, eventually filling the RAM. This situation demands more CPU usage to handle all the data. In previous versions of Windows, where ntoskrnl.exe used disk space for pages, this would result in your disk space filling up rather quickly.
This issue is very common for users who have updated their operating system from Windows 7 or 8.1 to Windows 10. The drivers might not be compatible with Windows 10, thereby causing memory leaks. The outdated “Killer Network Drivers” have been reported to be a cause of memory leaks on Windows 10.
Malware and viruses
Be careful of shareware and freeware distributed online. They might intentionally embed themselves into the ntoskrnl.exe system file or hijack the function of this file, leading to memory leaks. They might also alter the registry of the executable. This means that ntoskrnl.exe does not continue to work as expected. Since malware is designed to harm your computer, it will allow the streaming in of data into the RAM but not allow anything out. The virus might also be actively writing into the memory space owned by ntoskrnl.exe. This fills up your memory and leads to high CPU usage. Pages saved to the HDD might fill up your storage.
When ntoskrnl.exe detects that the memory is too full and that nothing more can fit, it “panics.” In an attempt to salvage the situation, it dumps the memory along with all other Windows files. The result is a Blue Screen of Death (BSOD). The same thing happens when it detects that something is continuously violating its memory space.
There might also be a sudden system shutdown due to the CPU overheating because of excessive activity. To prevent the CPU from frying, the computer shuts down so that it can cool off.
Corrupt Ntoskrnl.exe system file
Ntoskrnl.exe is a well-protected system file that rarely crashes or becomes corrupt. However, if it does become corrupt, ntoskrnl.exe will malfunction, not knowing what to write into the RAM, or when to do so, nor when to free up RAM space. This could lead to an accumulation of data and memory pages, causing the CPU to work extra hard to manage this memory space. For the same reason, your HDD might fill up.
How to fix excess memory usage caused by ntoskrnl.exe in windows 10
If you suddenly start experiencing memory leaks, then you might be a victim of malware or a virus. If your memory leaks begin after a Windows update or the installation of a new device, it might be because of bad or outdated device drivers.
Here are some fixes to ntoskrnl.exe consuming a lot of memory space.
Method 1: Update your drivers
It is worth noting that after updating to Windows 10, graphics and network drivers might be the primary suspects for the cause of your memory leak. This is common in PCs using ‘Killer Network Drivers.’ To update your drivers:
- Hold the Windows Key and Press R. Type hdwwiz.cpl and Click OK.
- Go to the Drivers tab and click on “Update Drivers”.
- Select the automatic option to find and install updated drivers from the internet.
- Restart your PC.
Method 2: Run antimalware and antispyware applications to scan your system
It is a good practice to have malware scanners on your PC. Here is one that works well and is recommended.
- Download Spybot from here or Malwarebytes from here.
- Install the software and run a scan.
- Fix all arising issues.
- Restart your computer.
Method 3: Disable Runtime Broker
Recent discussions on Reddit strongly suggest that Runtime Broker is a system process that often consumes a large portion of CPU cycles. This is attributed to its poor memory optimization, which subsequently causes high CPU usage and memory leaks.
You can disable Runtime Broker by:
- Go to Start Menu and open the Settings app.
- Open System > Notification and Actions.
- Deselect the option “Show me tips about Windows” or “Get tips, tricks and suggestions as you use Windows”.
- Restart your PC.
- Open notepad.
- Copy and paste these keys into notepad.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimeBroker] “Start”=dword:00000003 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysMain] “DisplayName”=”Superfetch” “Start”=dword:00000003
- Go to file and then Save as.
- Save it as whichever_name_you_choose.reg.
- Run the file as an administrator and accept/confirm registry changes.
- Restart your PC.
Method 4: Changing Registry Settings
There are certain settings in the registry that can be edited to provide better performance. To adjust the registry configurations:
- Press the “Windows” + “R” keys simultaneously.
- Type in “regedit” and press “enter”.
- Navigate to the following address
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Session Manager>Memory Management
- Double click on the “Clear Page File Shutdown” registry in the right pane.
- Change the “Value Data” to “1” and click on “OK“.
- Restart your computer and check to see if the issue persists.
Always keep your anti-malware and anti-spyware up to date. Regularly check for updates to your device drivers. Device manufacturers constantly update their driver definitions to resolve issues and improve functionality. If none of the above solutions work for you, it may be worth trying the suggested steps for system and compressed memory.