I had an SE contact me about services.exe using excessive memory on some of his boxes (~130MB.) As he was worried about this (and he had a ticket), so was I. I started with the semi-handy Process Explorer from Microsoft. I’ve been spoiled by the nifty things you can do with UNIX (lsof for instance), but I couldn’t get to the bottom of what was taking up so much memory. After 90 minutes on the phone with Microsoft Platinum support, it appears that (drum roll please) the event logs were taking up the memory. We backed up and then cleared the event logs, and the memory went down to a more manageable, and expected, size (~8MB.) Apparently, the event logs are cached on startup (and kept in memory as they grow?). However, this isn’t that big of a deal as services.exe is one of the first processes that gives back memory to a memory constrained system

The support guy from Microsoft went away for a few minutes and found this out from talking to one of his peers. I’m no closer to figuring out how to troubleshoot memory processes on a deeper level. His only suggestion was to get a crash dump from the server and run windbg against it. On a Linux box, you can just run lsof, or dtrace or… well, you get the idea.