We’ve discussed several areas of Memory Management in our blog since we started.  Today, we’re going to take a look at Pool Tags and how they can be used to identify the source of Pool Memory leaks.  A pool tag is a four-byte character that is associated with a dynamically allocated chunk of pool memory.  The tag is specified by a driver when it allocates the memory.  The routine ExAllocatePoolWithTag is called to allocate pool memory.  There are three parameters that are specified when this routine is called:

• PoolType:  This specifies the type of pool memory to allocate – Paged or NonPaged pool.
• NumberofBytes:  This is self-explanatory and specifies the number of bytes to allocate for the memory request
• Tag:  This specifies the pool tag.  The tag is a four-byte character as we mentioned above, and is stored (and sometimes displayed) in reverse order – known as little-endian.  So if our driver made a request to allocate memory with the tag “Fred”, it appears as “derF” in a pool dump.  The ASCII value of each character in the tag must be between 0 and 127 – so in our example, the ASCII value as seen in the registry would be 0x64657246.