Windows 2012 R2 PoolMon


There are 3 different types of temporary storage that can be used by a driver such as

a) Kernel Stack

b) Non paged pool

c) Paged pool

Non Paged Pool: Driver routines running at elevated IRQL’s need to allocate temporary memory called as Non Paged pool. Non paged pool memory is always physically resident.

Paged Pool: Virtual memory available to the driver routines running below DISPATCH_LEVEL IRQL such as driver cleanup , driver initialization, dispatch routines and kernel mode threads.

The most common function to use is ExAllocatePool (which is obsolete) and should use ExAllocatePoolwithTag instead. At a high level ExAllocatePoolwithTag is similar to heapalloc or malloc at user mode programming. The tag is used to identify the block memory / blocks allocated by the driver. To track the pool usage using the tags, you need to enable pool tagging using gflags

Non paged pool and Paged pool memory usage can be viewed using Poolmon.exe. There are several memory debugging tools which can be used in adjacent with Poolmon such as Windbg, Perfmon etc. Poolmon.exe dynamically updates the output for every few seconds and users who are familiar with the commands still valid with Windows Server 2012 R2

P- Sorts tags list by Paged, non-paged and mixed

B- Sort tags by maximum byte usage

T – Sort tags by tag name

M – Sort tags by maximum byte allocation

E – Displays Total Non paged and paged pool allocation at the bottom of the poolmon.exe window

S – Sort tags with the difference of allocs and frees

Q – Quit

F – Sort by Free


Download the binaries by following below link and follow the instructions to download Poolmon.exe


This is straightforward, simply click poolmon.exe and run the above commands after it displays the allocations.

When To Use:

This is interesting question, Poolmon should be used in conjunction with Perfmon / Windbg to understand the issues related to system performance. Collect the data and analyse the trend before using poolmon. With the help of Perfmon, identify the nonpaged pool leaks and paged pool leaks and run the poolmon logs .

With the help of poolmon, identify which tag is consuming most bytes.

for Eg:

Tag  Type    Allocs          Frees         Diff   Bytes      Per Alloc


Test   Paged    1473 (   0)    1002 (   0)    281 1972392

ipdc  Paged   12485 (  10)    5648 (   4)   4027  40395

CM28  Paged    6662 (   8)    5571 (   6)   1691  1745

MmSt  Paged     614 (   0)     441 (   0)    173   83456

From the above example Test is consuming 1972392 bytes which is highest. Use findstr to find the driver associated with Test tag. When using Windbg debugger can use !poolused /t5 2 and then !for_each_module s -a @#Base @#End “Test” and then load module against the address ( lm <address ) to find the driver

Hope this helps !

DNS Resolution on Single NIC and Multiple IP’s

Who should read this : 

a) System Engineers

b) System Administrators

c) DNS Administrators

d) Active Directory Admins

e) Active Directory Technical Architects


Risk / Considerations: 

The changes below should be performed in the test environment and evaluate any dependent applications / hardcoded applications which are configured with the DNS and its behavior. The application behavior to be analyzed by the change includes, the DNS server response time, DNS Query forwarder and DNS Query failures.



DNS name resolution is most critical aspect of any IT infrastructure, whether it is Microsoft DNS / UNIX the protocol behavior does not change. One such scenario is discussed below between IT Manager Mark and System Engineer Shaun.


IT Manager [Mark]: Good morning Shaun, on the Windows Server 2012 R2 member server with single NIC ( Network Interface Card ) installed and multiple IP Addresses configured, i would like to control DNS name resolution based on IP Address , is that possible ?


System Engineer [Shaun]: Hi Mark, can you elaborate your question please


IT Manager [Mark]: Sure, on the Windows Server 2012 R2 member server which is also acting as DNS server, i see that there are two IP Addresses configured on single NIC

IP Address 1 [Private] =

IP Address 2 [Public] =

Any Private DNS name resolution should be resolved by and for any Public names ,the queries should be forwarded and resolved by , how do we achieve this ?


System Engineer [Shaun]: This is highly unlikely to be achieved, Mark. The reason is with single NIC, there is no way to define the binding. The closest work around is to set the DNS server address order under the NIC properties

Note: This setting should be performed for Static IP Addresses and not controlled by Group Policy

Step1 : Logon to the Windows Server 2012 R2 using Administrator account / account which has privileges to make modifications to NIC

Step2: Start –> Run –> NCPA.cpl

Step3: Navigate to Network Adapter to be configured , right click the adapter –> Properties –> Internet Protocol Version 4 –> Properties

Step4: Navigate Advance TCP/IP Settings as shown below and add the DNS Server addresses IP Address under “DNS Server addresses, in                           order to use” section as shown below



Step 5: Click Ok and close all the windows of the Network interface

Step 6: Open the command prompt and run IPConfig / flushdns and IPConfig /registerdns


DNS Server priority is determined by the order. If the first server isn’t available to respond to a host name resolution request, the next DNS server in the list is accessed, and so on. To change the position of a server in the list box, select it and then click the up or down arrow button




Am I a GC?

Am I a GC ? or DC ?

The answer is fun to find out whether a Domain Controller is Global Catalog server which has several ways to find out


Open Active Directory Users and Computers –>Right click on Domain –> select Change Domain Controller

DSA-change DC dsa-change dc2

II. ADSIEdit Output:

There are three important attribute types which are important in AD

  • System Only
  • Constructed and
  • Backlinks

Constructed attributes are most important attributes in AD which provides advance interpretation of AD operations. One such attribute is msds-isgc, this attribute identifies the state of Global Catalog Server.


III. DSQuery

Global catalog status can be viewed using DSQuery tool as shown below


IV NLTest:

Global Catalog status can be found using NLTest tool through Flags Status as shown below




One other tool to view Global catalog status is by using LDP tool. Please note that Constructed Attribute cannot be viewed using standard LDP interface instead, a search should be made to view the status of a Global Catalog Server as shown below.

ldp -isgc

Other tools include PowerShell or DS API requires DN path to search for the value.

DNS Default Server : unknown

DNS Default Server: Unknown , this is the most common message Users see when they enter nslookup. This message means the DNS server which is configured on the client is not able to resolve itself / there is no pointer record configured for the DNS server.

DNS Server Unknown

To resolve the error, DNS administrator should ensure, there is an associated PTR record registered in the zone’s reverse lookup zone and test the nslookup command which should populate the DNS server name

Windows 7 / Windows 2008 R2 I/O Subsystem Logical View

Windows I/O subsystem manages and provides interface to hardware devices for several applications and for Operating System. The design goals of Windows I/O system is to provide device abstraction ( DMA/ hardware abstraction layer/ bus drivers) for hardware and software components

Below is the logical view Windows I/O manager functions.

Windows IO function Logical diagram

Security Token Service Integration using WS Protocols


There are three documents in this download associated with interoperability for the Works with Office 365 – Identity program. First is the paper that details the agreement for STSs to Interop with Azure Active Directory using the WS-Federation and WS-Trust protocols. The second is the paper which specifies the scenarios for STS testing that Microsoft use for qualification in the Works with Office 365 – Identity program. The third is the program guide for partners for the Works with Office 365 – Identity program. This enables use of a third party Identity Provider to be used for authentication by Office 365 and other Microsoft services that use Azure Active Directory.

Download Link: