There are 3 different types of temporary storage that can be used by a driver such as
a) Kernel Stack
b) Non paged pool
c) Paged pool
Non Paged Pool: Driver routines running at elevated IRQL’s need to allocate temporary memory called as Non Paged pool. Non paged pool memory is always physically resident.
Paged Pool: Virtual memory available to the driver routines running below DISPATCH_LEVEL IRQL such as driver cleanup , driver initialization, dispatch routines and kernel mode threads.
The most common function to use is ExAllocatePool (which is obsolete) and should use ExAllocatePoolwithTag instead. At a high level ExAllocatePoolwithTag is similar to heapalloc or malloc at user mode programming. The tag is used to identify the block memory / blocks allocated by the driver. To track the pool usage using the tags, you need to enable pool tagging using gflags
Non paged pool and Paged pool memory usage can be viewed using Poolmon.exe. There are several memory debugging tools which can be used in adjacent with Poolmon such as Windbg, Perfmon etc. Poolmon.exe dynamically updates the output for every few seconds and users who are familiar with the commands still valid with Windows Server 2012 R2
P- Sorts tags list by Paged, non-paged and mixed
B- Sort tags by maximum byte usage
T – Sort tags by tag name
M – Sort tags by maximum byte allocation
E – Displays Total Non paged and paged pool allocation at the bottom of the poolmon.exe window
S – Sort tags with the difference of allocs and frees
Q – Quit
F – Sort by Free
Download the binaries by following below link and follow the instructions to download Poolmon.exe
This is straightforward, simply click poolmon.exe and run the above commands after it displays the allocations.
When To Use:
This is interesting question, Poolmon should be used in conjunction with Perfmon / Windbg to understand the issues related to system performance. Collect the data and analyse the trend before using poolmon. With the help of Perfmon, identify the nonpaged pool leaks and paged pool leaks and run the poolmon logs .
With the help of poolmon, identify which tag is consuming most bytes.
Tag Type Allocs Frees Diff Bytes Per Alloc
Test Paged 1473 ( 0) 1002 ( 0) 281 1972392
ipdc Paged 12485 ( 10) 5648 ( 4) 4027 40395
CM28 Paged 6662 ( 8) 5571 ( 6) 1691 1745
MmSt Paged 614 ( 0) 441 ( 0) 173 83456
From the above example Test is consuming 1972392 bytes which is highest. Use findstr to find the driver associated with Test tag. When using Windbg debugger can use !poolused /t5 2 and then !for_each_module s -a @#Base @#End “Test” and then load module against the address ( lm <address ) to find the driver
Hope this helps !