The key to pool tags, is that they should be unique such that one driver can be distinguished from another on the system. Also, the driver writer determines how many tags that a driver uses. A small driver may have a single tag, whereas a more complex driver may use a different tag for each type of allocation. Having multiple pool tags in a large driver is especially helpful when using the Special Pool option of Driver Verifier because we reduce the risk that the memory allocations using a specific tag will deplete the special pool.
So how can you figure out which tag belongs to which driver? There is a file ( Pooltag.txt ) that lists the pool tags used for pool allocations by kernel-mode components and drivers supplied with Windows. The Pooltag.txt file is installed as part of the Debugging Tools for Windows in the Triage subfolder where you installed the Debugging Tools as well as with the Windows DDK. An excerpt from the Pooltag.txt is below:
So what happens if the tag that you are looking for is not listed in Pooltag.txt? You can use the findstr command in all versions of Windows. Change to the %systemroot%\system32\drivers folder at a command prompt and then run the findstr /m /l <tag> *.sys command. In the example below, I am looking for the driver that uses the CPnp tag:
If the driver is not in the drivers folder, you can also search the Program Files folder, the entire System Drive, or any other location that you specify.
Pretty straightforward, right? In our next post, Aaron Maxwell will be covering how to find out how to determine who is allocating the Pool Tag using Special Pool. Until next time …
|Share this post :|
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.