Poolmon commands

Trying to identify a memory leak on a Windows 2003 server. Installed Support Tools and tried PoolMon, but when starting from the command line with /switches, I get the message "unknown switch".
Jun 23, 2009 · Here are the list of pool tag that ships with Windows. The list will help you check to see what component might be having problems or being affected by an application or driver. Yong Rhee “pooltag.txt This file lists the tags used for pool allocations by kernel mode components and drivers. The file has the... Oct 30, 2018 · Using PoolMon to Find a Kernel-Mode Memory Leak. If the methods described above did not help, you can try to find out, which driver causes the memory leak to the non-paged pool using a console tool Poolmoon.exe (included in Windows Driver Kit – WDK). Download and install WDK for your Windows version from Microsoft website.

While poolmon is running, you can use the run-time commands to change the display. For example, to sort the display by number of bytes used, press b. To sort by bytes per allocation, press m. The following command starts PoolMon and displays only allocations from the nonpaged pool: poolmon /p While PoolMon is running, press p to toggle through allocations from the paged pool, the nonpaged pool, or both.
Apr 19, 2018 · To find files that (potentially) use a given pool tag, use the Search tool in Windows 2000: Click Start, point to Search, and then click For Files or Folders. In the Search for files or folders named box, type *.sys. In the Containing text box, type the pool tag you want to search for.

Just noticed you said you tried using poolmon already - so just use the specific command I provided above to get it sorted properly. You could probably also try resizing the window first before running the command if it is too small.
Poolmon Logging Instructions Use PoolMon3VBS.zip which allows you to capture what is consuming Paged and NonPaged pool memory. If the SRV/2019 or SRV/2020 is occurring now or we are very close to the next occurrence we should examine the handle count in Task Manager Processes tab for each process.

Havent used Poolmon a heck of a lot, but in troubleshooting a BSOD, bugcheck 0xF4, where csrss.exe is terminating and crashing, I am finding a problem with interpreting the Tags in poolmon. There is supposed to be a localtags.txt file that when used with the appropriate switch, should add a Mapped Driver view in the app. 4) Start poolmon from the command prompt using the following command-line poolmon -b -iToke 5) Start the .cmd file created in step 2 from the command prompt 6) Watch the amount of kernel memory used by driver tag "Toke" to get ever higher, about 5-10 kB every screen update Eventually this eats up all available memory.