JSI Tip 7102. How do I determine a driver name from a pool tag?

In tip 7101 ยป How can I monitor my system for kernel mode memory leaks, we used Poolmon.exe to determine the pool tag of a leaking process.

To determine the driver name from a pool tag:

1. Open a CMD prompt.

2. Change to the drivers folder by typing cd /d %SystemRoot%\System32\Drivers

3. Type the following command:

findstr /m /l <pool tag> *.sys

4. If you receive multiple files, add an h to the <pool tag>. findstr /m /l hTCPt *.sys returns TCPIP.SYS.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish