Hello all,
This is a rather urgent request. I like to reveal the device driver that
owns a certain amount of paged pool wiht Tag ‘PcNw’ . Pooltag.exe is
excellent, but I like to know who’s behind that memory. Because I have
personally no access to that system , I have to provide a program or some
simple tool to the owner of that system to find out the name of that
device driver.
Has someone an idea ?
PcNw belongs to the WDM audio stack, I would assume portcls.sys.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
Ghijselinck
Sent: Wednesday, December 10, 2003 1:49 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Pooltag and who owns that memory
Hello all,
This is a rather urgent request. I like to reveal the device driver that
owns a certain amount of paged pool wiht Tag ‘PcNw’ . Pooltag.exe is
excellent, but I like to know who’s behind that memory. Because I have
personally no access to that system , I have to provide a program or
some
simple tool to the owner of that system to find out the name of that
device driver.
Has someone an idea ?
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thank you very much , how do you know that ? :-))
“Pooltag” generates following line for that Tag :
PcNw NON 362076 147236 214840 12859536
Is this a correct behaviour for a driver ? Does XP manages
to “concatenate” all those released pieces together to one
big allocatable piece of memory ?
But of course , there are other nervous toys playing around :
ObSq PAG 124772 124772 0 0
ObSt NON 268755 268755 0 0
----- Original Message -----
From: “Doron Holan”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 10, 2003 10:58 PM
Subject: [ntdev] RE: Pooltag and who owns that memory
> PcNw belongs to the WDM audio stack, I would assume portcls.sys.
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
> Ghijselinck
> Sent: Wednesday, December 10, 2003 1:49 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Pooltag and who owns that memory
>
>
>
> Hello all,
>
> This is a rather urgent request. I like to reveal the device driver that
> owns a certain amount of paged pool wiht Tag ‘PcNw’ . Pooltag.exe is
> excellent, but I like to know who’s behind that memory. Because I have
> personally no access to that system , I have to provide a program or
> some
> simple tool to the owner of that system to find out the name of that
> device driver.
> Has someone an idea ?
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Christiaan Ghijselinck wrote:
Thank you very much , how do you know that ? :-))
Because he can grep the source for that string. Heck, he might have
written the code that allocates the memory, too.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
Internally we have a file which lists pooltag with owning component:)
… I think it is released in some form to the public, not sure what the
mechanism is though (flat file, help, debugger command, etc).
D
(PS I can gladly say I never went anywhere near portcls 
)
This posting is provided “AS IS” with no warranties, and confers no
rights
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Walter Oney
Sent: Wednesday, December 10, 2003 4:05 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Pooltag and who owns that memory
Christiaan Ghijselinck wrote:
Thank you very much , how do you know that ? :-))
Because he can grep the source for that string. Heck, he might have
written the code that allocates the memory, too.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> ----------
From: xxxxx@oneysoft.com[SMTP:xxxxx@oneysoft.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, December 11, 2003 1:04 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: Pooltag and who owns that memoryChristiaan Ghijselinck wrote:
> Thank you very much , how do you know that ? :-))Because he can grep the source for that string. Heck, he might have
written the code that allocates the memory, too.
Source isn’t necessary. Scanning binaries in system32\drivers directory is
sufficient. On my XP es1371mp.sys and portcls.sys contain this tag.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
The debugger and the newer DDKs come with a Pooltag.txt file where you
can get this info. Running !poolused in the debugger will also tell you.
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Doron Holan” wrote in message
news:xxxxx@ntdev…
Internally we have a file which lists pooltag with owning component:)
… I think it is released in some form to the public, not sure what the
mechanism is though (flat file, help, debugger command, etc).
D
(PS I can gladly say I never went anywhere near portcls )
This posting is provided “AS IS” with no warranties, and confers no
rights
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Walter Oney
Sent: Wednesday, December 10, 2003 4:05 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Pooltag and who owns that memory
Christiaan Ghijselinck wrote:
> Thank you very much , how do you know that ? :-))
Because he can grep the source for that string. Heck, he might have
written the code that allocates the memory, too.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
There was POOLTAG.TXT in some WinDbg distros.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Doron Holan”
To: “Windows System Software Devs Interest List”
Sent: Thursday, December 11, 2003 3:26 AM
Subject: [ntdev] Re: Pooltag and who owns that memory
> Internally we have a file which lists pooltag with owning component:)
> … I think it is released in some form to the public, not sure what the
> mechanism is though (flat file, help, debugger command, etc).
>
> D
>
> (PS I can gladly say I never went anywhere near portcls )
>
> This posting is provided “AS IS” with no warranties, and confers no
> rights
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Walter Oney
> Sent: Wednesday, December 10, 2003 4:05 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Re: Pooltag and who owns that memory
>
> Christiaan Ghijselinck wrote:
> > Thank you very much , how do you know that ? :-))
>
> Because he can grep the source for that string. Heck, he might have
> written the code that allocates the memory, too.
>
> –
> Walter Oney, Consulting and Training
> Basic and Advanced Driver Programming Seminars
> Check out our schedule at http://www.oneysoft.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Thanks, but this is of little help. There are more ‘question marks’ than whatelse
----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Sunday, December 14, 2003 1:36 AM
Subject: [ntdev] Re: Pooltag and who owns that memory
> There was POOLTAG.TXT in some WinDbg distros.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Doron Holan”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, December 11, 2003 3:26 AM
> Subject: [ntdev] Re: Pooltag and who owns that memory
>
>
> > Internally we have a file which lists pooltag with owning component:)
> > … I think it is released in some form to the public, not sure what the
> > mechanism is though (flat file, help, debugger command, etc).
> >
> > D
> >
> > (PS I can gladly say I never went anywhere near portcls )
> >
> > This posting is provided “AS IS” with no warranties, and confers no
> > rights
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Walter Oney
> > Sent: Wednesday, December 10, 2003 4:05 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Re: Pooltag and who owns that memory
> >
> > Christiaan Ghijselinck wrote:
> > > Thank you very much , how do you know that ? :-))
> >
> > Because he can grep the source for that string. Heck, he might have
> > written the code that allocates the memory, too.
> >
> > –
> > Walter Oney, Consulting and Training
> > Basic and Advanced Driver Programming Seminars
> > Check out our schedule at http://www.oneysoft.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
An easy way to find out who owns a given tag is to load up the NTOSKRNL
symbols and set _PoolHitTag to the tag of interest. The kernel will then do
an INT 3 whenever it allocates or frees with that tag. And then you’ll see
the call stack and know who “owns” it!
Or see http://osronline.com/article.cfm?id=269
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Sunday, December 14, 2003 9:16 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Pooltag and who owns that memory
An easy way to find out who owns a given tag is to load up the NTOSKRNL
symbols and set _PoolHitTag to the tag of interest. The kernel will
then do
an INT 3 whenever it allocates or frees with that tag. And then you’ll
see
the call stack and know who “owns” it!
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Problem is that the !poolused does not always work For one it does not
appear to work with special pools, and it also appears to require some kind
of gflags enabling to work.
“Bryan Burgin” wrote in message news:xxxxx@ntdev…
Or see http://osronline.com/article.cfm?id=269
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Sunday, December 14, 2003 9:16 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Pooltag and who owns that memory
An easy way to find out who owns a given tag is to load up the NTOSKRNL
symbols and set _PoolHitTag to the tag of interest. The kernel will
then do
an INT 3 whenever it allocates or frees with that tag. And then you’ll
see
the call stack and know who “owns” it!
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes, set the bit 0x400 in GFLAGS.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Del Fredricks”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, December 15, 2003 10:06 PM
Subject: [ntdev] Re: Pooltag and who owns that memory
> Problem is that the !poolused does not always work For one it does not
> appear to work with special pools, and it also appears to require some kind
> of gflags enabling to work.
>
> “Bryan Burgin” wrote in message news:xxxxx@ntdev…
>
> Or see http://osronline.com/article.cfm?id=269
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
> Sent: Sunday, December 14, 2003 9:16 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Re: Pooltag and who owns that memory
>
> An easy way to find out who owns a given tag is to load up the NTOSKRNL
> symbols and set _PoolHitTag to the tag of interest. The kernel will
> then do
> an INT 3 whenever it allocates or frees with that tag. And then you’ll
> see
> the call stack and know who “owns” it!
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com