Poolused output

Greetings,

Is there a way for me to find out more about all the fileobjects that are
currently being used (open) in the system from the debugger?

Thank you in advance.

0: kd> !poolused 2
Sorting by NonPaged Pool Consumed

Pool Used:
NonPaged Paged
Tag Allocs Used Allocs Used
File 685124 114975248 0 0 File objects
FOCX 677096 32500608 0 0 File System Run Time File Object
Context structure , Binary: nt!fsrtl
FMfc 677096 32500608 0 0 FLTMGR_FILE_OBJECT_CONTEXT
structure , Binary: fltmgr.sys
FMsl 50963 10600304 0 0 STREAM_LIST_CTRL structure ,
Binary: fltmgr.sys
RDse 55138 7057664 0 0 UNKNOWN pooltag ‘RDse’, please
update pooltag.txt
Ntfr 106584 6822344 0 0 ERESOURCE , Binary: ntfs.sys
LSwi 1 2584576 0 0 initial work context
MFE0 14173 2318720 0 0 UNKNOWN pooltag ‘MFE0’, please
update pooltag.txt
MmCm 35 2298400 0 0 Calls made to
MmAllocateContiguousMemory , Binary: nt!mm
NtFs 55546 2231824 105701 15448416 StrucSup.c , Binary: ntfs.sys
Ntfn 55552 2224152 0 0 SCB_NONPAGED , Binary: ntfs.sys
ReTa 53508 2141600 0 0 Resource Extended Table
MFEm 1 2097152 0 0 UNKNOWN pooltag ‘MFEm’, please
update pooltag.txt
TCPt 37 1459344 0 0 TCP/IP network protocol , Binary:
TCP
CcSc 4367 1397440 0 0 Cache Manager Shared Cache Map ,
Binary: nt!cc
RDtn 55139 1323336 0 0 UNKNOWN pooltag ‘RDtn’, please
update pooltag.txt
RDbn 4566 1315008 0 0 UNKNOWN pooltag ‘RDbn’, please
update pooltag.txt
TPLA 256 1048576 0 0 UNKNOWN pooltag ‘TPLA’, please
update pooltag.txt
Devi 444 620376 0 0 Device objects
Thre 946 590304 0 0 Thread objects , Binary: nt!ps
Dmio 144 537472 4 312 UNKNOWN pooltag ‘Dmio’, please
update pooltag.txt
MmCa 4825 534592 0 0 Mm control areas for mapped files
, Bi

!object 0 file usually does it for you.

You may need to set some GlobalFlags first.

I’ll note that (unsurprisingly) you have a similar number of FLT_CONTEXTS.
If you get lucky with the symbols (there seems no rhyme or reason to which
command will work on any given day) you might also be able to do a
!fltkd.volumes / !fltkd.volume 10.

hth

Rod

“Kamran Tavakoli” wrote in message
news:xxxxx@ntfsd…
Greetings,

Is there a way for me to find out more about all the fileobjects that are
currently being used (open) in the system from the debugger?

Thank you in advance.

0: kd> !poolused 2
Sorting by NonPaged Pool Consumed

Pool Used:
NonPaged Paged
Tag Allocs Used Allocs Used
File 685124 114975248 0 0 File objects
FOCX 677096 32500608 0 0 File System Run Time File Object
Context structure , Binary: nt!fsrtl
FMfc 677096 32500608 0 0 FLTMGR_FILE_OBJECT_CONTEXT
structure , Binary: fltmgr.sys
FMsl 50963 10600304 0 0 STREAM_LIST_CTRL structure ,
Binary: fltmgr.sys
RDse 55138 7057664 0 0 UNKNOWN pooltag ‘RDse’, please
update pooltag.txt
Ntfr 106584 6822344 0 0 ERESOURCE , Binary: ntfs.sys
LSwi 1 2584576 0 0 initial work context
MFE0 14173 2318720 0 0 UNKNOWN pooltag ‘MFE0’, please
update pooltag.txt
MmCm 35 2298400 0 0 Calls made to
MmAllocateContiguousMemory , Binary: nt!mm
NtFs 55546 2231824 105701 15448416 StrucSup.c , Binary: ntfs.sys
Ntfn 55552 2224152 0 0 SCB_NONPAGED , Binary: ntfs.sys
ReTa 53508 2141600 0 0 Resource Extended Table
MFEm 1 2097152 0 0 UNKNOWN pooltag ‘MFEm’, please
update pooltag.txt
TCPt 37 1459344 0 0 TCP/IP network protocol , Binary:
TCP
CcSc 4367 1397440 0 0 Cache Manager Shared Cache Map ,
Binary: nt!cc
RDtn 55139 1323336 0 0 UNKNOWN pooltag ‘RDtn’, please
update pooltag.txt
RDbn 4566 1315008 0 0 UNKNOWN pooltag ‘RDbn’, please
update pooltag.txt
TPLA 256 1048576 0 0 UNKNOWN pooltag ‘TPLA’, please
update pooltag.txt
Devi 444 620376 0 0 Device objects
Thre 946 590304 0 0 Thread objects , Binary: nt!ps
Dmio 144 537472 4 312 UNKNOWN pooltag ‘Dmio’, please
update pooltag.txt
MmCa 4825 534592 0 0 Mm control areas for mapped files
, Bi