Question about Windows kernel memory pools

Paged means the memory space can be/has been swapped out and stored on disk until needed.

I'm not really sure where you are heading or am I misinterpreting your question?  Look at Paged memory management as a 500 page loose leaf binder.  When you need a page of information, you open the binder and pull the page. While you have access to 500 pages, you will often have one or two in hand.

Where I am heading is this:  The kernel has a two pools of memory (internal to the kernel) to act as a scratch pad for kernel mode drivers.  The nonpaged pool is for used by drivers that need to access memory at an IRQL above the page fault level (cannot page).  The paged pool is a more general pool of pageable memory, but still is limited to kernel mode access. This space is limited, for the nonpaged pool, on x86 this size limit is 256MB (only 128 MB if booted with /3GB), the paged pool can be larger, around 500 MB.  This is not to be general memory that can be used in user mode.  Anyway, poolmon is a utility that can monitor this memory if pool tagging is enabled (by default it is on Windows Server 2003).  The tag provides a way of identifying which drivers is using the memory within each pool.  Here is an example of the output of poolmon:

 Memory: 2086960K Avail: 1065936K  PageFlts:3984437   InRam Krnl: 3616K P:147112K
 Commit: 830804K Limit:4018620K Peak: 846376K            Pool N:39772K P:147756K

 Tag  Type     Allocs         Frees    Diff   Bytes    Per Alloc
  waR Nonp         29        29         0       0          0        
    ( Paged        23        23         0       0          0        
 8042 Nonp          4         0         4    3944        986        
 ACPI Nonp         19        19         0       0          0        
  AEC Paged         3         3         0       0          0        
 AECd Nonp          7         7         0       0          0        
 AECi Nonp          7         7         0       0          0        
 ASCC Nonp          2         0         2     432        216        
 AcdN Nonp          2         0         2    1072        536        
 AcpA Nonp        100        97         3     192         64        
 AcpB Paged        40        36         4    1664        416        
 AcpD Nonp        593       488       105   36680        349    
...
(this list goes on for about 1400 lines)

What I am asking is why the sum of the "Bytes" column for each type does not eqaul the corresponding total in the summary at the top.  And if I cannot attribute the memory use to one of these items listed, who else is using it?  Or is it pool memory that was in use, still considered in use, but not attributed to any driver? (orphaned?)

Does that make it more clear?

A memory leak is determined by the >>>difference (diff)<<< between allocations and frees of the memory. The memory leak can either be in the page or non-paged areas of the memory. Memory leaks are not defined as difference between paged and non-paged memory spaces. So, those will not really match up right.

If you suspect you have a memory leak, can we get the stop error or information on your Blue Screen of Death?

Thanks for the info Chief.   What I am really trying to understand is how I can account for all of the memory in the kernel pools.  In the paged pool I cannot account for about 91898K (147756-55858); in the nonpaged pool I cannot account for about 15281 (39772-24491).  Where did it go?  Who is using it?  Why isn't accounted for by something with a pool tag?

Thanks for the responses.  It came to my attention that the version of poolmon.exe was a tad old - Windows server 2003 support tools.  I have subsequently downloaded Support Tools for Windows 2003 SP2 and the results look much close now (not hundreds if MB off!)

I will accept the last two comments as possible solutions, since they could help others.

Thanks for the input!