Browse by Tags


  • Blog Post: How to identify a driver that calls a Windows API leading to a pool leak on behalf of NT Kernel?

    Hello my name is Gurpreet Singh Jutla and I would like to share information on how we can trace the caller which ends up allocating “Se  “ Pool tag. When we use the Windows debugger and investigate the pool allocation and the binary associated with this pool tag, we see NT Kernel responsible for...
  • Blog Post: Windows Troubleshooting – Special Pool

    The Windows Support team has a new YouTube channel, “ Windows Troubleshooting ”.  The first set of videos cover debugging blue screens. In this video, Bob Golding, Senior Escalation Engineer, describes how the Special Pool Windows diagnostics tool catches drivers that corrupt memory. Bob also introduces...
  • Blog Post: Understanding Pool Corruption Part 3 – Special Pool for Double Frees

    In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.   A double free of pool will cause a system to blue screen, however...
  • Blog Post: Understanding Pool Corruption Part 2 – Special Pool for Buffer Overruns

    In our previous article we discussed pool corruption that occurs when a driver writes too much data in a buffer.  In this article we will discuss how special pool can help identify the driver that writes too much data.   Pool is typically organized to allow multiple drivers to store data in...
  • Blog Post: Understanding Pool Corruption Part 1 – Buffer Overflows

    Before we can discuss pool corruption we must understand what pool is.  Pool is kernel mode memory used as a storage space for drivers.  Pool is organized in a similar way to how you might use a notepad when taking notes from a lecture or a book.  Some notes may be 1 line, others may be...
  • Blog Post: Troubleshooting Pool Leaks Part 7 – Windows Performance Toolkit

    In Part 1 of this series we identified a pool leak in non paged pool.  In Part 2 and Part 3 of this series we identified what pool tag was leaking.  In Part 5 and Part 6 we got call stacks showing the memory being allocated.  In this article we are going to discuss a tool that combines...
  • Blog Post: Troubleshooting Pool Leaks Part 6 – Driver Verifier

    In part 5 we used poolhittag to get call stacks of pool being allocated and freed.  This information is often essential to identifying the cause of a memory leak; however it is not always feasible to configure a live kernel debug to obtain this information.  Fortunately there are alternative...
  • Blog Post: Troubleshooting Pool Leaks Part 5 – PoolHitTag

    In Part 4 we narrowed the source of the leaked pool memory to the specific driver which is allocating it, and we identified where in the driver this allocation was taking place.  However, we did not capture contextual information such as the call stack leading up to this code.  Also, we didn...
  • Blog Post: Troubleshooting Pool Leaks Part 4 – Debugging Multiple Users for a Tag

    In our previous articles we discussed various techniques for identifying a pool memory leak and narrowing the scope of the leak to an individual pool tag.  Knowing the leaking pool tag is often sufficient to identify the cause of the problem and find a solution.  However, there may be a scenario...
  • Blog Post: Troubleshooting Pool Leaks Part 3 – Debugging

    In our previous articles we discussed identifying a pool leak with perfmon , and narrowing the source of the leak with poolmon .  These tools are often preferred because they are easy to use, provide verbose information, and can be run on a system without forcing downtime.  However, it is not...
  • Blog Post: Troubleshooting Pool Leaks Part 2 – Poolmon

    In our previous article we discussed how to identify a pool leak using perfmon.  Although it may be interesting to know that you have a pool leak, most customers are interested in identifying the cause of the leak so that it can be corrected.  In this article we will begin the process of identifying...
  • Blog Post: Troubleshooting Pool Leaks Part 1 – Perfmon

    Over the years the NTDebugging Blog has published several articles about pool memory and pool leaks.  However, we haven’t taken a comprehensive approach to understanding and troubleshooting pool memory usage.  This upcoming series of articles is going to tackle pool leaks from the basics to...
  • Blog Post: Stop 0x19 in a Large Pool Allocation

    Hello all, Scott Olson here again to share another interesting issue I recently debugged with pool corruption and found that using special pool does not work with large pool allocations ( pool allocations greater than a PAGE_SIZE ).   Here is an example of a valid large page allocation. Notice the...
  • Blog Post: Call Stacks for Pool Allocations

    Hello, it's the Debug Ninja back again for another NtDebugging Blog article.   For as long as I can remember user mode debuggers have had an easy way to get call stacks for heap allocations.   On more recent versions of Windows this has been as simple as using gflags +ust and umdh or !heap...
  • Blog Post: Reversing in Reverse, Part 2: More Linked-List Pool Corruption

    Hello - It's Ryan again with the second installment of my list corruption walkthrough. The previous blog post is here - Reversing in Reverse: Linked-List Pool Corruption, a Complete Walkthrough (Part 1) In part one we walked through the analysis of a memory.dmp collected during a bugcheck caused by...
  • Blog Post: Reversing in Reverse: Linked-List Pool Corruption, a Complete Walkthrough (Part 1)

    My name is Ryan Mangipano (ryanman) and I am a Sr. Support Escalation Engineer at Microsoft. Today’s blog will consist of a complete walkthrough of my recent analysis of a stop 0x50 along with the steps that led me to identify that this crash was caused by pool corruption. In this particular case, I...
  • Blog Post: Smoking Gun Pool Corruption

    Hello, my name is Ron Stock and I’m an Escalation Engineer on the Microsoft Platforms Global Escalation Services Team. Today I’m going to talk about pool corruption which manifests itself in various ways. It’s usually hard to track down because the culprit is long gone when the machine crashes. Tools...
  • Blog Post: Tracking down MmSt paged pool usage

    A trend that I’ve noticed recently are cases involving paged pool depletion with high MmSt tag usage that remains after trying KB304101 (PoolUsageMaximum) . These pool allocations are used by the memory manager for section object prototype PTEs. There are generally only two options when this happens...
  • Blog Post: NonPagedPool Depletion

    I recently was engaged on an issue where a server was depleting NonPagedPool over a period of a few days. Ordinarily, we would just use a tool like PoolMon to identify the offending pool tag and then find the driver that uses that pool tag using the method in this article . However, what made this...
  • Blog Post: How to Find the Owner of a Named Pipe

    This is a follow-up on the LPC hang blog . The same hang troubleshooting techniques apply to this, but when a named pipe is involved you’ll have to use a slightly different method to following the chain from a client application to the server application. For the purpose of this exercise I’ll use the...
  • Blog Post: TalkBackVideo Understanding handle leaks and How to use !htrace to find them

    Written by Jeff Dailey Hello, my name is Jeff Dailey, I’m an E scalation E ngineer for the Global Escalation Services P latforms team. I’d like to show you how to debug and find leaking handles within your application or other process. We can do this with the !htrace command in windbg . Windbg...
  • Blog Post: Server Hangs with Event ID: 2021 and 2022

    Hi again! This is Tate from the CPR team and I’m going to show you how to debug a Server Service hang and the sometimes dreaded Event ID: 2021 and Event ID: 2022. There is much Voodoo about troubleshooting these two events but never fear, it’s possible to debug quickly given the right approach. ...
  • Blog Post: Understanding Pool Consumption and Event ID: 2020 or 2019

    Hi! My name is Tate. I’m an Escalation Engineer on the Microsoft Critical Problem Resolution Platforms Team. I wanted to share one of the most common errors we troubleshoot here on the CPR team, its root cause being pool consumption, and the methods by which we can remedy it quickly! This...
Page 1 of 1 (23 items)