How to Use Poolmon to Troubleshoot Kernel Mode Memory Leaks

ID: Q177415

The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article describes how to use the Windows NT 4.0 utility, Poolmon.exe, as a troubleshooting tool to monitor memory tags. This information can be used by Microsoft Technical Support to find kernel mode memory leaks.

A memory leak is caused by an application or by a process that allocates memory for use, but does not free it up when finished. The result is that available memory is completely used over time, often causing the system to stop functioning properly.


MORE INFORMATION

The first section that follows describes how to enable tag mode for using Poolmon. The second section describes how to gather the information for troubleshooting.

Enabling Tag Mode

Use the following steps to change the registry value that enables tag mode for Poolmon.exe.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

  1. Run Registry Editor (Regedt32.exe).


  2. Go to the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager


  3. Write down the value of GlobalFlag, or save the Session Manager key.


  4. Double-click the GlobalFlag value in the right pane.


  5. Change the value to 0x00000400 hex.

    NOTE: When you add the global flag value 0x00000400, it only shows up as being 0x400 after it is added. It is important to add all of the leading zeros or some of the Poolmon information will not display on the output screen.


  6. Restart the computer.


NOTE: When you are finished debugging, change the GlobalFlag value back to the original value that you were instructed to write down in step 3.

There is a utility available in the Windows NT Resource Kit to make the above change without manually editing the registry. The utility is called Gflags.exe.

To make the change using Gflags.exe:

  1. Click Start, and then click Run.


  2. Type gflags.exe, and then click OK.


  3. Click Enable Pool Tagging


  4. Click Apply, and then click OK.


Using Poolmon to Collect Information

The Poolmon utility displays all pool tag information on the screen. Scroll down to view all of the tag information. Use the following steps to copy and store the tag information. Repeat these steps for two hours at 15 minute intervals. Append each update to the end of the Notepad file.

  1. Click Start, point to Settings, click Control Panel, and then double- click Console.


  2. Click the Options tab and select QuickEdit Mode and Insert Mode. Click the Layout tab and change the Screen Buffer Size to 99. Click OK.


  3. Click Start, point to Programs, and then click Command Prompt.


  4. You will find Poolmon.exe in the Support\Debug\<platform> folder on the Windows NT 4.0 compact disc. Change to the drive and folder where Poolmon.exe is located.


  5. Type Poolmon.exe.


  6. Press P until Poolmon comes up with the second column "type" showing the value "paged."


  7. Press B. This will sort the columns bytes from largest to smallest.


  8. Select the entire screen contents and press Enter.


  9. Click Start. Point to Programs, point to Accessories, and then click Notepad.


  10. On the Edit menu, click Paste.


  11. Repeat step 6 looking for the value "nonpaged."


  12. Repeat 7 - 10 to paste.


Poolmon.exe also has a few command keys that sort the output for you. Press the letter indicated below to perform the operation. It takes a few seconds for each command to work. Here is a list of a few of the commands: 


   P - Sorts tag list by Paged, Non-Paged, or mixed.
       Note that P cycles through each one.
   B - Sorts tags by max byte usage.
   M - Sorts tags by max byte allocation.
   T - Sort tags alphabetically by tag name.
   E - Display Paged, Non-paged total across bottom.
       Cycles through.
   A - Sorts tags by allocation size.
   F - Sorts tags by "frees".
   S - Sorts tags by the differences of allocs and frees.
   E - Display Paged, Non-paged total across bottom.
       Cycles through.
   Q - Quit.


For more information on interpreting the information collected by Poolmon, please contact Microsoft Technical Support.

Additional query words: debugref allocs frees krnl paged nonp nonpaged non-paged pages 


Keywords          : ntgeneral NTSrvWkst 
Version           : WinNT:4.0
Platform          : winnt 
Issue type        : kbhowto

Last Reviewed: January 26, 1999