How to Use Memory Pool Monitor (Poolmon.exe) to Troubleshoot Kernel Mode Memory Leaks (177415)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Server, Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q177415
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes how to use the Memory Pool Monitor utility, Poolmon.exe, as a troubleshooting tool to monitor memory tags. Poolmon displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools, and the memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag. This information can be used by Microsoft Technical Support to find kernel mode memory leaks.

A memory leak is caused by an application or by a process that allocates memory for use, but does not free it up when finished. The result is that available memory is completely used over time, often causing the system to stop functioning properly.

MORE INFORMATION

The first section that follows describes how to enable tag mode for using Poolmon. The second section describes how to gather the information for troubleshooting by using Poolmon.

Enabling Tag Mode

Before running PoolMon, you must enable pool tagging and then restart your computer. The pool tagging feature collects and calculates statistics about pool memory sorted by the tag value of the memory allocation.

Note It is not necessary to enable pool tagging in Windows Server 2003 as it is enabled by default.

To enable pool tagging on a Windows NT 4.0-based, Windows 2000-based, or Windows XP-based computer, use one of the following methods:

Method 1: Edit the Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To change the registry value that enables tag mode for Poolmon.exe:
  1. Run Registry Editor.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

  3. Write down the value of GlobalFlag, or save the Session Manager key.
  4. Double-click the GlobalFlag value in the right pane.
  5. Change the value to 0x00000400 hexadecimal.

    Note When you add the global flag value 0x00000400, it only shows up as being 0x400 after it is added. It is important to add all of the leading zeros or some of the Poolmon information will not display on the output screen.
  6. Restart the computer.
Note When you are finished debugging, change the GlobalFlag value back to the original value that you were instructed to write down in step 3.

Method 2: Use the Gflags.exe Utility

You can also use the Global Flags Editor (Gflags.exe) utility to enable pool tagging. Gflags.exe is available in the Windows NT 4.0 Resource Kit and in the \Support\Tools folder of Windows 2000, Windows XP, and Windows Server 2003 CD-ROMs.

Note Because pool tagging is permanently enabled in Windows Server 2003, the Enable Pool Tagging check box in the Global Flags dialog box is dimmed and commands to enable or disable pool tagging fail.

To make the change by using Gflags.exe, follow these steps:
  1. Click Start, click Run, type gflags.exe, and then click OK.
  2. Select Enable Pool Tagging.
  3. Click Apply, and then click OK.
  4. Restart the computer.
Note When you are finished debugging, repeat the above steps to disable pool tagging.

Using Poolmon to Collect Information

PoolMon displays pool tag information within a command window. Use the arrow keys or the PAGE UP and PAGE DOWN keys to display all the tag information returned by the tool.

Poolmon.exe is available in the Windows NT 4.0 Resource Kit and in the \Support\Tools folder of Windows 2000, Windows XP, and Windows Server 2003 CD-ROMs.

Use the following steps to copy and store the tag information. Repeat these steps for two hours at 15 minute intervals. Append each update to the end of the Notepad file.
  1. Click Start, point to Settings, click Control Panel, and then double-click Console.

    Note For Windows 2000 you must perform the following steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. Right-click the title bar, and then click Properties.
  2. Click the Options tab, click QuickEdit Mode, and then click Insert Mode.
  3. Click the Layout tab, change the Screen Buffer Size value to 99, and then click OK.
  4. Click Start, point to Programs, and then click Command Prompt.
  5. Locate Poolmon.exe in the Support\Debug\platform folder on the Windows NT 4.0 CD. Change to the drive and folder where Poolmon.exe is located. On the Windows 2000 CD Poolmon.exe is in the Support.CAB file. Support.CAB is located under the \Support\Tools folder.
  6. Type Poolmon.exe.
  7. Press P until Poolmon displays the second column "type" and shows the value paged.
  8. Press B to sort the columns from largest to smallest.
  9. Select the whole screen contents, and then press ENTER.
  10. Click Start, point to Programs, point to Accessories, and then click Notepad.
  11. On the Edit menu, click Paste.
  12. Repeat step 7 to look for the value nonpaged.
  13. Repeat steps 8 - 11 to paste.
Poolmon.exe also has a few command keys that sort the output for you. Press the letter indicated below to perform the operation. It takes a few seconds for each command to work. Here is a list of a few of the commands:

P - Sorts tag list by Paged, Non-Paged, or mixed. Note that P cycles through each one.
B - Sorts tags by max byte usage.
M - Sorts tags by max byte allocation.
T - Sort tags alphabetically by tag name.
E - Display Paged, Non-paged total across bottom. Cycles through.
A - Sorts tags by allocation size.
F - Sorts tags by "frees".
S - Sorts tags by the differences of allocs and frees.
E - Display Paged, Non-paged total across bottom. Cycles through.
Q - Quit.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

298102 How to Find Pool Tags That Are Used By Third-Party Drivers

Modification Type:MinorLast Reviewed:3/17/2004
Keywords:kbhowto KB177415
©2004 Microsoft Corporation. All rights reserved.