We help IT Professionals succeed at work.

Non-Paged Memory Pool Tags

arminl asked
Hi Experts,

following Microsofts leads how to troubleshoot memory leaks in kernel drivers I came across the poolmon.exe tool from the NT CD.

The tool helped me to pinpoint the problem in a network card driver. Great.

Now to the question: the tool lists memory usage by "pool tags". The pool tags are all up to 4 characters long, and read like "CM", "INOF", "LSwi" and such.

I am not a Windows developer, but just an admin. Now with some intuition and trial and error it is possible to link INOF to an Inoculan Virus Protetion product, but for the poolmon tool to be usable I need a way to match the pool tags to drivers and services.

Question: which other tools do I need to find out which pool tag points to which driver? Is tehre a better tool that lists the pool tags along with the drivers they belong to?

Armin Linder
Watch Question

Top Expert 2012
Something that might help (from the docs about 'ExAllocatePoolWithTag()' at  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/k102_2omq.asp):

Specifies a string, delimited by single quote marks, with up to four characters. The string is usually specified in reversed order.


The Tag passed to this routine is more readable if its bytes are reversed when this routine is called. For example, if a caller passes 'Fred' as a Tag, it would appear as 'derF' if pool is dumped or when tracking pool usage in the debugger."

But, the way the tags are dubbed is up to the developer, the names are arbitrary and not registered with the system...


While this answer didn't quite match my needs (a tool ...) it was the best I got, and helped me to understand the tags.



Explore More ContentExplore courses, solutions, and other research materials related to this topic.