I was not yet granted administrator rights.
However, I recently ran Clamav (the antivirus) and it found:
C:\\Users\All Users\Adobe\ARM\S\4922\AdobeARM.msi: Win.Malware.Krucky-7009041-0 FOUND
It seems compatible with what I observe: machine's RAM near 90% occupation with no apparent justification. The CPU usage might be kept low so not to be noticed. But it happens that RAM occupation has the same effect.
Total memory usage will always be higher than the total usage of processes, and usually by a wide margin. The memory usage shown in the Process tab is not the full memory usage of the process but only a specific part. Full usage will often be considerably higher. There are also some substantial users of memory that are not processes, not all of which are shown in Task Manager. These include the File cache, The Non paged pool, and the resident portion of the paged pool.
When memory usage is high and there is no apparent reason it is very often caused by a driver and will appear as a unusually high value for the Paged or Non paged pool usage. This can be difficult to diagnose, particularly without admin rights.
Of course malware is always possible. sophisticated malware, and these days virtually all of it is, is fully capable of hiding itself from Task Manager and other utilities and can even manipulate the numbers shown. Compared to other things malware does this isn't even all that hard. Malware can be very difficult to locate, even for an expert.
I use GNU/Linux for more than 18 years now and I can't accept this is normal for a computer with 8 GB. Even if temporarily. I have a GNU/Linux distro in an old laptop (ASUS A5E-Q012, Pentium M with 1 GB, if I'm not mistaken) and it works much much better that this machine, when the problem occurs. So this is absolutely abnormal. A click delay can take 1 min!
I've read about operating systems reserving memory which shows as occupied but for sure they must provide them to processes when they need it.
Also, this behaviour happened with no programs running. You can't say that GlobalProtect and Traps are real "programs". They are just necessary utilities.
As for the driver hypothesis, this is a Lenovo laptop and this brand surely has drivers written to the hardware chosen to make the product? Contrarily to Linux, for which the vendors some times don't provide the technical information to allow the open source community to write drivers (and even so, they work).
As for the malware hypothesis I read somewhere that Adobe malware existed that mined crypto coins in the background. This seems highly compatible with a machine running out of 8 GB at idle.
I let the machine booted in Linux Mint with a USB pen, and running Clamav with the option to move the infected files to a specific directory (like a quarantine). This way I don't need administrator password and in principle I will have all files removed from the original location and then I can just check and delete them.
Hello hsehestedt,
I now have admin rights so here are the outputs from the commands you asked for.
After the 1st screenshot, I had to close almost all programs, otherwise I wouldn't be able to use the machine.
Screenshots in attachment:
Output of commands follows:
Thanks.Code:C:\WINDOWS\system32>wmic memorychip list full BankLabel=BANK 2 Capacity=8589934592 DataWidth=64 Description=Physical Memory DeviceLocator=ChannelB-DIMM0 FormFactor=12 HotSwappable= InstallDate= InterleaveDataDepth= InterleavePosition= Manufacturer=Hynix/Hyundai MemoryType=24 Model= Name=Physical Memory OtherIdentifyingInfo= PartNumber=HMT41GS6BFR8A-PB PositionInRow= PoweredOn= Removable= Replaceable= SerialNumber=18652424 SKU= Speed=1600 Status= Tag=Physical Memory 1 TotalWidth=64 TypeDetail=128 Version= C:\WINDOWS\system32>wmic MEMORYCHIP get banklabel, devicelocator, capacity, speed BankLabel Capacity DeviceLocator Speed BANK 2 8589934592 ChannelB-DIMM0 1600 C:\WINDOWS\system32>systeminfo |find "Available Physical Memory" Available Physical Memory: 1,373 MB
The Paged pool and Non paged pool usage values are high, particularly the latter. On my 8 GB Windows 10 system they are 300 MB and 167 MB but these can vary on different systems and over time. Not all of the Paged pool will be in RAM but typically a large part will be. There is no way to tell from Task Manager how much. All of the Non paged pool will be in RAM and that is particularly concerning. These pools are used primarily by device drivers and the kernel itself. Very little will be by processes.
As for the memory usage displayed in the process listing. This is not full process usage which will typically be considerably higher. And there are substantial users of memory that are not processes. For that reason the process list is often of limited value in diagnosing high memory usage. And there are other substantial users of memory as well.
Once you have had a malware infection you van never be 100% certain is has been completely removed. This applies even for an expert with physical access to the computer and has spent much time with it. In many cases the only way to be completely free of malware is a clean install of the OS and all applications.
Why do you have Chrome and Firefox?
Chrome loads when computer start, spy everything you do online and offline and consume a lot of resources.
My advice: Uninstall it and use Firefox.
Cortana is also another app that loads when computer start, spy everything you do. If you don't use it, disable it.
How to Disable Cortana in Windows 10 [2019 Guide] - Driver Easy
Just for comparison only...Cortana is suspended (red circle)
Quote
