#Thre tag in poolmon.exe windows
Windows Hardware Developer Central: Who’s Using the Pool
#Thre tag in poolmon.exe how to
Microsoft KB298102: How to find pool tags that are used by third-party drivers Microsoft KB177415: How to use PoolMon to troubleshoot Kernel Mode Memory Leaks Pretty straightforward, right? In our next post, Aaron Maxwell will be covering how to find out how to determine who is allocating the Pool Tag using Special Pool.
#Thre tag in poolmon.exe driver
If the driver is not in the drivers folder, you can also search the Program Files folder, the entire System Drive, or any other location that you specify. In the example below, I am looking for the driver that uses the CPnp tag: Change to the %systemroot%\system32\drivers folder at a command prompt and then run theĬommand. So what happens if the tag that you are looking for is not listed in Pooltag.txt? You can use theĬommand in all versions of Windows. An excerpt from theĪdSv - vmsrvc.sys - Virtual Machines Additions Service Theįile is installed as part of the Debugging Tools for Windows in the Triage subfolder where you installed the Debugging Tools as well as with the Windows DDK. ) that lists the pool tags used for pool allocations by kernel-mode components and drivers supplied with Windows. So how can you figure out which tag belongs to which driver? There is a file ( Having multiple pool tags in a large driver is especially helpful when using the Special Pool option of Driver Verifier because we reduce the risk that the memory allocations using a specific tag will deplete the special pool. A small driver may have a single tag, whereas a more complex driver may use a different tag for each type of allocation. Also, the driver writer determines how many tags that a driver uses. The key to pool tags, is that they should be unique such that one driver can be distinguished from another on the system.
The ASCII value of each character in the tag must be between 0 and 127 – so in our example, the ASCII value as seen in the registry would be
So if our driver made a request to allocate memory with the tag “ The tag is a four-byte character as we mentioned above, and is stored (and sometimes displayed) in reverse order – known as little-endian. : This is self-explanatory and specifies the number of bytes to allocate for the memory request : This specifies the type of pool memory to allocate – Paged or NonPaged pool. There are three parameters that are specified when this routine is called: The tag is specified by a driver when it allocates the memory. A pool tag is a four-byte character that is associated with a dynamically allocated chunk of pool memory.
Today, we’re going to take a look at Pool Tags and how they can be used to identify the source of Pool Memory leaks.
We’ve discussed several areas of Memory Management in our blog since we started. First published on TECHNET on Apr 11, 2008
0 kommentar(er)
