Finding driver for NXFS pool tag

OSR_Community_User · September 19, 2009, 10:23am

I’m experiencing a kernel memory leak, which causes my Windows XP PC to hang.
I’ve found out with Poolmon.exe that the pool tag ‘NXFS’ is leaking memory, but I’m not able to find the driver/program which is associated with this pool tag. (Text)searching my whole hard drive with Explorer doesn’t lead to any hits, and Google doesn’t deliver any hits either.

Does anyone know what driver/program uses the NXFS pool tag or has suggestions of how to find/log it?

David_R_Cattley · September 19, 2009, 11:03am

If you have not seen it, start here:

http://www.microsoft.com/whdc/driver/tips/PoolMem.mspx

and this

http://www.osronline.com/article.cfm?article=269

Then ask yourself what you have installed on your system that is non-OS
provided. Given that the tag is ‘NXFS’ I would start looking for stuff that
is related to [N]etworks and [F]ile [S]ystems and such. Do you have
something installed like ClearCase which adds a filesystem? How about NFS?

Of course that could be a red-herring too.

If you really want to know, you can set a conditional breakpoint on
ExAllocatePoolWithTag() that checks the tag value (wicked slow) or in a
running system, find an allocation with that tag using the debugger and set
an “On Access” breakpoint on the pool allocation. Chances are, when the
breakpoint hits, the call stack is going to show you activity by the owner
or a least a close associate of the owner activity.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@planet.nl
Sent: Saturday, September 19, 2009 10:21 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Finding driver for NXFS pool tag

I’m experiencing a kernel memory leak, which causes my Windows XP PC to
hang.
I’ve found out with Poolmon.exe that the pool tag ‘NXFS’ is leaking memory,
but I’m not able to find the driver/program which is associated with this
pool tag. (Text)searching my whole hard drive with Explorer doesn’t lead to
any hits, and Google doesn’t deliver any hits either.

Does anyone know what driver/program uses the NXFS pool tag or has
suggestions of how to find/log it?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Pavel_Lebedinsky · September 20, 2009, 3:48am

> If you really want to know, you can set a conditional breakpoint on

ExAllocatePoolWithTag() that checks the tag value (wicked slow) or in a
running system, find an allocation with that tag using the debugger and
set
an “On Access” breakpoint on the pool allocation. Chances are, when the
breakpoint hits, the call stack is going to show you activity by the owner
or a least a close associate of the owner activity.

Instead of a conditional breakpoint, you can also use this:

kd> ed nt!PoolHitTag ‘SFXN’

If you only have a dump or local kd (rather than a live debugger) then
searching through all loaded drivers often works:

lkd> .reload
lkd> !for_each_module s-a @#Base @#End “NXFS”

–
Pavel Lebedinsky/Windows Kernel Test
This posting is provided “AS IS” with no warranties, and confers no rights.

David_R_Cattley · September 20, 2009, 9:38am

Pavel,

Thanks! I will surely add that to my debug kit.

I assume then that nt!PoolHitTag is a ULONG32 that is compared to the tag
specified in pool allocations and on equality raises a breakpoint? Or
something like that?

Got any other tips & tricks you want to share?

Cheers,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel Lebedinsky
Sent: Sunday, September 20, 2009 3:48 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Finding driver for NXFS pool tag

If you really want to know, you can set a conditional breakpoint on
ExAllocatePoolWithTag() that checks the tag value (wicked slow) or in a
running system, find an allocation with that tag using the debugger and
set
an “On Access” breakpoint on the pool allocation. Chances are, when the
breakpoint hits, the call stack is going to show you activity by the owner
or a least a close associate of the owner activity.

Instead of a conditional breakpoint, you can also use this:

kd> ed nt!PoolHitTag ‘SFXN’

If you only have a dump or local kd (rather than a live debugger) then
searching through all loaded drivers often works:

lkd> .reload
lkd> !for_each_module s-a @#Base @#End “NXFS”

–
Pavel Lebedinsky/Windows Kernel Test
This posting is provided “AS IS” with no warranties, and confers no rights.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Ken_Johnson · September 20, 2009, 12:07pm

Yes, that is how it works.

S

-----Original Message-----
From: David R. Cattley
Sent: Sunday, September 20, 2009 6:37
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Finding driver for NXFS pool tag

Pavel,

Thanks! I will surely add that to my debug kit.

I assume then that nt!PoolHitTag is a ULONG32 that is compared to the tag
specified in pool allocations and on equality raises a breakpoint? Or
something like that?

Got any other tips & tricks you want to share?

Cheers,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel Lebedinsky
Sent: Sunday, September 20, 2009 3:48 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Finding driver for NXFS pool tag

> If you really want to know, you can set a conditional breakpoint on
> ExAllocatePoolWithTag() that checks the tag value (wicked slow) or in a
> running system, find an allocation with that tag using the debugger and
> set
> an “On Access” breakpoint on the pool allocation. Chances are, when the
> breakpoint hits, the call stack is going to show you activity by the owner
> or a least a close associate of the owner activity.

Instead of a conditional breakpoint, you can also use this:

kd> ed nt!PoolHitTag ‘SFXN’

If you only have a dump or local kd (rather than a live debugger) then
searching through all loaded drivers often works:

lkd> .reload
lkd> !for_each_module s-a @#Base @#End “NXFS”

–
Pavel Lebedinsky/Windows Kernel Test
This posting is provided “AS IS” with no warranties, and confers no rights.

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 20, 2009, 1:32pm

Hi David,

Thanks for your remark about searching for file system related software, this led me to ThreatFire-software I installed. Removing this software, makes the NXFS memory pool tag disappear. Reinstalling makes it appear again. So I’ve found the leak and reported it, so hopefully it will be solved.

Maxim_S_Shatskih · September 22, 2009, 8:51am

> I assume then that nt!PoolHitTag is a ULONG32 that is compared to the tag

specified in pool allocations and on equality raises a breakpoint? Or
something like that?

Exactly. Frees are IIRC also affected, though I don’t remember well, it was 1.5 year ago when I used it.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com