Prior to SP4, it was very difficult or impossible to isolate the culprit kernel-mode component or Windows NT instruction that incorrectly stepped on Pool memory.
SP4 provides a built in Special Pool that you can activate by using Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Add Value name PoolTag as a type REG_DWORD. The data value can be a pool tag mask, an allocation size mask, or 0.
A pool tag mask allows you filter the pool tag ID. It may contain wildcard characters ? or *.
The pool tag mask is entered in hexadecimal, in reverse order. To monitor all pools with a pool tag ID beginning with nt, you would use *nt, which is hex 0x2A746E. To monitor all pools, use *, which is 0x2A. To monitor n??s, use s??n, which is hex 0x6E3F3F73.
To monitor all pool allocations of a specified size, enter the size in PoolTag. To monitor all 32 byte allocations, use 0x20.
The Special Pool is disabled when PoolTag is missing or set to 0x0.
Add Value name PoolTagOverruns as a type REG_DWORD. A data value of 1 will detect pool overruns. A data value of 0 detects pool underruns.
With Special Pool enabled, stepping on pool memory will generate a STOP 0x0000001E or 0x0000000A.
In many cases, the stop will show the exact instruction address that stepped on the pool. In some cases, it will help narrow down the culprit.