!poolfind
The !poolfind extension finds all instances of a specific pool tag in either nonpaged or paged memory pools.
!poolfind TagString [PoolType]
!poolfind TagValue [PoolType]
Parameters
TagString
Specifies the pool tag. TagString is a case-sensitive ASCII string. The asterisk (*) can be used to represent any number of characters; the question mark (?) can be used to represent exactly one character. Unless an asterisk is used, TagString must be exactly four characters in length.
TagValue
Specifies the pool tag. TagValue must begin with "0x", even if the default radix is 16. If this parameter begins with any other value (including "0X") it will be interpreted as an ASCII tag string.
PoolType
Specifies the type of pool to be searched. The following values are permitted:
0
Specifies nonpaged memory pool. This is the default.
1
Specifies paged memory pool.
2
Specifies the special pool.
4
Specifies the session pool.
DLL
Kdexts.dll
Additional Information
For information about memory pools and pool tags, see the Windows Driver Kit (WDK) documentation and Microsoft Windows Internals, by Mark Russinovich and David Solomon.
Remarks
This command can take a significant amount of time to execute, depending on the size of pool memory that must be searched. To speed up this execution, increase the COM port speed with the CTRL+A (Toggle Baud Rate) key, or use the .cache (Set Cache Size) command to increase the cache size (to approximately 10 MB).
The pool tag is the same tag passed to the ExAllocateXxx family of routines.
Here is an example. The entire nonpaged pool is searched and then the paged pool is searched, but the command is terminated before completion (after an hour of operation):
kd> !poolfind SeSd 0
Scanning large pool allocation table for Tag: SeSd (827d1000 : 827e9000)
Searching NonPaged pool (823b1000 : 82800000) for Tag: SeSd
826fa130 size: c0 previous size: 40 (Allocated) SeSd
82712000 size: c0 previous size: 0 (Allocated) SeSd
82715940 size: a0 previous size: 60 (Allocated) SeSd
8271da30 size: c0 previous size: 10 (Allocated) SeSd
82721c00 size: 10 previous size: 30 (Free) SeSd
8272b3f0 size: 60 previous size: 30 (Allocated) SeSd
8272d770 size: 60 previous size: 40 (Allocated) SeSd
8272d7d0 size: a0 previous size: 60 (Allocated) SeSd
8272d960 size: a0 previous size: 70 (Allocated) SeSd
82736f30 size: a0 previous size: 10 (Allocated) SeSd
82763840 size: a0 previous size: 10 (Allocated) SeSd
8278b730 size: 100 previous size: 290 (Allocated) SeSd
8278b830 size: 10 previous size: 100 (Free) SeSd
82790130 size: a0 previous size: 20 (Allocated) SeSd
82799180 size: a0 previous size: 10 (Allocated) SeSd
827c00e0 size: a0 previous size: 30 (Allocated) SeSd
827c8320 size: a0 previous size: 60 (Allocated) SeSd
827ca180 size: a0 previous size: 50 (Allocated) SeSd
827ec140 size: a0 previous size: 10 (Allocated) SeSd
Searching NonPaged pool (fe7c3000 : ffbe0000) for Tag: SeSd
kd> !poolfind SeSd 1
Scanning large pool allocation table for Tag: SeSd (827d1000 : 827e9000)
Searching Paged pool (e1000000 : e4400000) for Tag: SeSd
e10000b0 size: d0 previous size: 20 (Allocated) SeSd
e1000260 size: d0 previous size: 60 (Allocated) SeSd
......
e1221dc0 size: a0 previous size: 60 (Allocated) SeSd
e1224250 size: a0 previous size: 30 (Allocated) SeSd
...terminating - searched pool to e1224000
kd>