This post looks at Pool Tags and how they can be used to identify the source of Pool Memory leaks. A pool tag is a four-byte character that is associated with a dynamically allocated chunk of pool memory. The tag is specified by a driver when it allocates the memory. The routine ExAllocatePoolWithTag is called to allocate pool memory. There are three parameters that are specified when this routine is called:
- PoolType: This specifies the type of pool memory to allocate – Paged or NonPaged pool.
- NumberofBytes: This is self-explanatory and specifies the number of bytes to allocate for the memory request
- Tag: This specifies the pool tag. The tag is a four-byte character as we mentioned above, and is stored (and sometimes displayed) in reverse order – known as little-endian. So if our driver made a request to allocate memory with the tag “Fred”, it appears as “derF” in a pool dump. The ASCII value of each character in the tag must be between 0 and 127 – so in our example, the ASCII value as seen in the registry would be 0×64657246.
The key to pool tags, is that they should be unique such that one driver can be distinguished from another on the system. Also, the driver writer determines how many tags that a driver uses. A small driver may have a single tag, whereas a more complex driver may use a different tag for each type of allocation. Having multiple pool tags in a large driver is especially helpful when using the Special Pool option of Driver Verifier because we reduce the risk that the memory allocations using a specific tag will deplete the special pool.
Additional Resources:
- MSDN: POOL_TYPE
- MSDN: ExAllocatePoolWithTag
- Microsoft KB177415: How to use PoolMon to troubleshoot Kernel Mode Memory Leaks
- Microsoft KB298102: How to find pool tags that are used by third-party drivers
- Windows Hardware Developer Central: Who’s Using the Pool
Windows, Memory, Memory Management, Architecture, Performance, Troubleshooting, Pool Memory, Knowledgebase
TrackBack URI Leave a comment »