Open it in Notepad. Search for your tag. You might see:
Tag Type Allocs Frees Diff Bytes Per Alloc Leak Nonp 1234567 1000000 234567 18765360 80 Here, tag Leak has 234,567 outstanding allocations, growing over time. PoolMon shows a tag , not a driver name. To map a tag to a driver on Windows 7: Method A: Using findstr on loaded drivers Open an elevated command prompt and run: poolmon.exe download windows 7
findstr /m /l "TagName" C:\Windows\System32\drivers\*.sys Replace TagName with the 4-character tag (e.g., Ntfs ). This searches all driver binaries for that string. Often, the tag is embedded near the driver’s allocation routines. Microsoft provides pooltag.txt – a mapping file. On a WDK-installed system, find it at: C:\WinDDK\7600.16385.1\tools\other\pooltag.txt Open it in Notepad
Navigate to where poolmon.exe lives, or add that folder to your PATH environment variable. Then type: PoolMon shows a tag , not a driver name
Ntfs - ntfs.sys - NTFS filesystem driver For stubborn tags, attach the Windows 7 kernel debugger ( kd.exe from the WDK) and use !poolused or !findpool commands. This is advanced but definitive. Part 5: Common Leaky Tags on Windows 7 (Real-World Examples) | Tag | Likely Driver | Typical Cause | |-----|---------------|----------------| | MmSt | Memory Manager | Superfetch or memory mapped file leak | | CM31 | Configuration Manager | Registry hive not being unmapped | | Thre | Kernel Threads | Driver creating threads without cleaning up | | Ntfr | NTFS Filter Drivers | Antivirus or backup filter driver | | FMfn | File System Runtime | Network redirector (e.g., WebDAV) | | Perf | Performance Counters | Faulty performance DLL |
Open it in Notepad. Search for your tag. You might see:
Tag Type Allocs Frees Diff Bytes Per Alloc Leak Nonp 1234567 1000000 234567 18765360 80 Here, tag Leak has 234,567 outstanding allocations, growing over time. PoolMon shows a tag , not a driver name. To map a tag to a driver on Windows 7: Method A: Using findstr on loaded drivers Open an elevated command prompt and run:
findstr /m /l "TagName" C:\Windows\System32\drivers\*.sys Replace TagName with the 4-character tag (e.g., Ntfs ). This searches all driver binaries for that string. Often, the tag is embedded near the driver’s allocation routines. Microsoft provides pooltag.txt – a mapping file. On a WDK-installed system, find it at: C:\WinDDK\7600.16385.1\tools\other\pooltag.txt
Navigate to where poolmon.exe lives, or add that folder to your PATH environment variable. Then type:
Ntfs - ntfs.sys - NTFS filesystem driver For stubborn tags, attach the Windows 7 kernel debugger ( kd.exe from the WDK) and use !poolused or !findpool commands. This is advanced but definitive. Part 5: Common Leaky Tags on Windows 7 (Real-World Examples) | Tag | Likely Driver | Typical Cause | |-----|---------------|----------------| | MmSt | Memory Manager | Superfetch or memory mapped file leak | | CM31 | Configuration Manager | Registry hive not being unmapped | | Thre | Kernel Threads | Driver creating threads without cleaning up | | Ntfr | NTFS Filter Drivers | Antivirus or backup filter driver | | FMfn | File System Runtime | Network redirector (e.g., WebDAV) | | Perf | Performance Counters | Faulty performance DLL |