Note that the driver name is now displayed in the Mapped_driver column. You should check drivers for found tags using the strings.exe tool (from Sysinternals), using the built-in findstr command, or using PowerShell. In our example, you can see that most of the RAM in the non-paged pool is used by drivers with tags Nr22, ConT, and smNp. Your task is to identify the driver file using this tag. Then press the B key to sort the driver list by the Bytes column. The second column will display the tags of the processes that use non-paged memory (the Nonp attribute). Then start the Poolmon.exe (in case of WDK for Windows 10, the tool is located in C:\Program Files (x86)\Windows Kits\10\Tools\ folder).Īfter you have started the tool, press P. Download and install the WDK for your Windows version from Microsoft. To do this, we need the Poolmoon.exe console tool included in the Windows Driver Kit (WDK). You can try to identify the driver that caused the memory leak in the non-paged pool.
Using PoolMon to Find a Kernel-Mode Memory Leak
0 kommentar(er)
