Hello,

What you see in GUI task manager is private working set, it means that only bytes in memory specific to this program are counted, no DLL's or something of that stuff. 

This is private - so only bytes in memory specific to this program and a working set - the amount of memory mapped and present in that processes address space. Even memory not present in address space may be in physical memory as on the standby list or in the file cache or being used by another program. 

Zabbix agent shows you an active whole working set: wkset - size of process working set (amount of physical memory used by process) in Kbytes. Please note, that you're requesting an average value. I offer you to switch on all memory* related columns on GUI task manager and try to find the value from Zabbix to be sure what it returns.

To continue reading you may refer to good article from Microsoft: Managing virtual memory

The values in GUI Task manager mean the following:

• Package Name: For Universal Windows Platform (UWP) apps, this displays the name of the app package the process is from. For other apps, this column is empty. UWP apps are generally distributed via the Microsoft Store.
• PID: The unique process ID number associated with that process. This is associated with the process and not the program—for example, if you close and reopen a program, the new program process will have a new process ID number.
• Status: This shows whether the process is running or suspended to save power. Windows 10 always “suspends” UWP apps you aren’t using to save system resources. You can also control whether Windows 10 suspends traditional desktop processes.
• User name: The name of the user account running the process. You will often see system user account names here, like SYSTEM and LOCAL SERVICE.
• Session ID: The unique number associated with the user session running the process. This is the same number shown for a user on the Users tab.
• Job object ID: The “job object in which the process is running.” Job objects are a way to group processes so they can be managed as a group.
• CPU: The percentage of CPU resources the process is currently using across all CPUs. If nothing else is using CPU time, Windows will show the System Idle Process using it here. In other words, if the System Idle Process is using 90% of your CPU resources, that means other processes on your system are using a combined 10%, and it was idle 90% of the time.
• CPU time: The total processor time (in seconds) used by a process since it began running. If a process closes and restarts, this will be reset. It’s a good way to spot CPU-hungry processes that may be idling at the moment.
• Cycle: The percentage of the CPU cycles the process is currently using across all CPUs. It’s unclear exactly how this is different from the CPU column, as Microsoft’s documentation doesn’t explain this. However, the numbers in this column are generally pretty similar to the CPU column, so it’s likely a similar piece of information measured differently.
• Working set (memory): The amount of physical memory the process is currently using.
• Peak working set (memory): The maximum amount of physical memory the process has used.
• Working set delta (memory): The change in working set memory from the last refresh of the data here.
• Memory (active private working set): The amount of physical memory used by the process that can’t be used by other processes. Processes frequently cache some data to make better use of your RAM, but can quickly give up that memory space if another process needs it. This column excludes data from suspended UWP processes.
• Memory (private working set): The amount of physical memory used by the process that can’t be used by other processes. This column does not exclude data from suspended UWP processes.
• Memory (shared working set): The amount of physical memory used by the process that can be used by other processes when necessary.
• Commit size: The amount of virtual memory Windows is reserving for the process.
• Paged pool: The amount of pageable kernel memory the Windows kernel or drivers are allocating for this process. The operating system can move this data to the paging file when necessary.
• NP pool: The amount of non-pageable kernel memory the Windows kernel or drivers are allocating for this process. The operating system can’t move this data to the paging file.
• Page faults: The number of page faults generated by the process since it began running. These occur when a program tries to access memory it doesn’t currently have allocated to it, and are normal.
• PF Delta: The change in the number of page faults since the last refresh.
• Base priority: The priority of the process—for example, this might be Low, Normal, or High. Windows prioritizes scheduling processes with higher priorities. System background tasks that aren’t urgent may have low priority compared to desktop program processes, for example.
• Handles: The current number of handles in the process’s object table. Handles represent system resources like files, registry keys, and threads.
• Threads: The number of active threads in a process. Each process runs one or more threads, and Windows allocates processor time to them. Threads in a process share memory.
• User objects: The number of “window manager objects” used by the process. This includes windows, menus, and cursors.
• GDI objects: The number of Graphics Device Interface objects used by the process. These are used for drawing the user interface.
• I/O reads: The number of read operations performed by the process since it started. I/O stands for Input/Output. This includes file, network, and device input/output.
• I/O writes: The number of write operations performed by the process since it started.
• I/O other: The number of non-read and non-write operations performed by the process since it started. For example, this includes control functions.
• I/O read bytes: The total number of bytes read by the process since it started.
• I/O write bytes: The total number of bytes written by the process since it started.
• I/O other bytes: The total number of bytes used in non-read and non-write I/O operations since the process started.
• Image path name: The full path to the process’s executable file.
• Command line: The exact command line the process was launched with, including the executable file and any command-line arguments.
• Operating system context: The minimum operating system the program is compatible with if any information is included in the application’s manifest file. For example, some applications might say “Windows Vista,” some “Windows 7,” and others “Windows 8.1”. Most won’t display anything in this column at all.
• Platform: Whether this is a 32-bit or 64-bit process.
• Elevated: Whether the process is running in elevated mode—in other words, with Administrator—permissions or not. You will see either “No” or “Yes” for each process.
• UAC virtualization: Whether User Account Control virtualization is enabled for the process. This virtualizes the program’s access to the registry and file system, letting programs designed for older versions of Windows run without Administrator access. Options include Enabled, Disabled, and Not Allowed—for processes that require system access.
• Description: A human-readable description of the process from its .exe file. For example, chrome.exe has the description “Google Chrome,” and explorer.exe has the description “Windows Explorer.” This is the same name displayed on the Name column in the normal Processes tab.
• Data execution prevention: Whether Data Execution Prevention (DEP) is enabled or not for the process. This is a security feature that helps protect applications from attacks.
• Enterprise context: On domains, this shows what enterprise context an app is running in. It could be in an enterprise domain context with access to enterprise resources, a “Personal” context without access to work resources, or “Exempt” for Windows system processes.
• Power throttling: Whether power throttling is enabled or disabled for a process. Windows automatically throttles certain applications when you’re not using them to save battery power. You can control which applications are throttled from the Settings app.
• GPU: The percentage of GPU resources used by the process—or, more specifically, the highest utilization across all GPU engines.
• GPU engine: The GPU engine the process is using—or, more specifically, the GPU engine the process is using the most. See the GPU information on the Performance tab for a list of GPUs and their engines. For example, even if you only have one GPU, it likely has different engines for 3D rendering, encoding video, and decoding video.
• Dedicated GPU memory: The total amount of GPU memory the process is using across all GPUs. GPUs have their own dedicated video memory that’s built-in on discrete GPUs and a reserved portion of normal system memory on onboard GPUs.
• Shared GPU memory: The total amount of system memory shared with the GPU the process is using. This refers to data stored in your system’s normal RAM that’s shared with the GPU, not data stored in your GPU’s dedicated, built-in memory.

Dmitry,

Thanks for this detail explanation. In a nutshell, I guess that Zabbix shows the amount of memory in total, both the memory that can be used by other processes and the memory that can't. And GUI task manager by default shows only the amount that can't be used by other programs.

Yes, when I checked the Working set field, it matched with the value from Zabbix.

Is there a way for Zabbix to display only Private working space? ( I suppose that it's more important to observe, since other memory can be shared with other procceses as well)

Yep, you can use indirect query via performance counters. Say you're looking for notepad.exe memory, so you can write something like 

perf_counter["\Process(notepad)\Working Set - Private"]

You can get a full list of performance counters with typeperf -qx. Just note its correct name as you may have it in Russian.

Ok, the issue may be closed for now. Thanks.