An Introduction to Pool Tags

We’ve discussed several areas of Memory Management in our blog since we started.  Today, we’re going to take a look at Pool Tags and how they can be used to identify the source of Pool Memory leaks.  A pool tag is a four-byte character that is associated with a dynamically allocated chunk of pool memory.  The tag is specified by a driver when it allocates the memory.  The routine ExAllocatePoolWithTag is called to allocate pool memory.  There are three parameters that are specified when this routine is called:

• PoolType:  This specifies the type of pool memory to allocate – Paged or NonPaged pool.
• NumberofBytes:  This is self-explanatory and specifies the number of bytes to allocate for the memory request
• Tag:  This specifies the pool tag.  The tag is a four-byte character as we mentioned above, and is stored (and sometimes displayed) in reverse order – known as little-endian.  So if our driver made a request to allocate memory with the tag “Fred”, it appears as “derF” in a pool dump.  The ASCII value of each character in the tag must be between 0 and 127 – so in our example, the ASCII value as seen in the registry would be 0x64657246.

The key to pool tags, is that they should be unique such that one driver can be distinguished from another on the system.  Also, the driver writer determines how many tags that a driver uses.  A small driver may have a single tag, whereas a more complex driver may use a different tag for each type of allocation.  Having multiple pool tags in a large driver is especially helpful when using the Special Pool option of Driver Verifier because we reduce the risk that the memory allocations using a specific tag will deplete the special pool.

So how can you figure out which tag belongs to which driver?  There is a file (Pooltag.txt) that lists the pool tags used for pool allocations by kernel-mode components and drivers supplied with Windows.  The Pooltag.txt file is installed as part of the Debugging Tools for Windows in the Triage subfolder where you installed the Debugging Tools as well as with the Windows DDK.  An excerpt from the Pooltag.txt is below:

8042 - i8042prt.sys - PS/2 kb and mouse
AdSv - vmsrvc.sys   - Virtual Machines Additions Service
ARPC - atmarpc.sys  - ATM ARP Client
ATMU - atmuni.sys   - ATM UNI Call Manager
ACPI - acpi.sys     - ACPI
Afd? - afd.sys      - AFD objects
AfdA - afd.sys      - Afd EA buffer

So what happens if the tag that you are looking for is not listed in Pooltag.txt?  You can use the findstr command in all versions of Windows.  Change to the %systemroot%\system32\drivers folder at a command prompt and then run the findstr /m /l <tag> *.sys command.  In the example below, I am looking for the driver that uses the CPnp tag:

If the driver is not in the drivers folder, you can also search the Program Files folder, the entire System Drive, or any other location that you specify.

Pretty straightforward, right?  In our next post, Aaron Maxwell will be covering how to find out how to determine who is allocating the Pool Tag using Special Pool.  Until next time …

Additional Resources:

• MSDN: POOL_TYPE
• MSDN: ExAllocatePoolWithTag
• Microsoft KB177415: How to use PoolMon to troubleshoot Kernel Mode Memory Leaks
• Microsoft KB298102: How to find pool tags that are used by third-party drivers
• Windows Hardware Developer Central: Who’s Using the Pool

- CC Hameed

Share this post :