Pool Tag Definition

Whilst tracking down my build environment issue previously discussed on
this list I have found a massive Paged Pool leak in a component that is
submitting allocations with the ‘LeoC’ tag. I have searched all my local
resources and have not been able to find any info on this tag. Short of
performing a conditional breakpoint and call stack analysis, does anyone
have any info on this tag?

This raises a larger question. I searched the web for ‘pool tag’ and it’s
ilk but was unable to find a ‘clearing house’ of known tags. Has anyone
seen/have this info?

Thanks,
Dan


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> submitting allocations with the ‘LeoC’ tag. I have searched all my local

This is Symantec/Norton AntiVirus filter driver.

Max


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> This raises a larger question. I searched the web for ‘pool tag’ and it’s

ilk but was unable to find a ‘clearing house’ of known tags. Has anyone
seen/have this info?

Yes, it is in Knowledge Base article Q121433. However, this is a
“Confidential Article”, and as such, you won’t be able to get at it, and I
can’t send it to you. (Additionally, I just checked, and it wasn’t to be
found on Google or Deja.) However, “LeoC” is not in there, but someone
already replied about that one.

Additionally, the way to track down such things is to use the NTOSKRNL
variable _PoolHitTag. If you set that ULONG to the name of the PoolTag
that you’re interested in, the kernel will do an INT 3 whenever that tag is
allocated or free’d. Then you can just look at the stack and know
immediately which component is making use of it. I use this method a few
times a year to track stuff down.


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello,

I have searched all my local
resources and have not been able to find any info on this tag. Short of
performing a conditional breakpoint and call stack analysis, does anyone
have any info on this tag?

here is a better way - search in all binaries from drivers directory.
Maybe you can identify the driver …

elli


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com