this is about Windows kernel driver and memory management. I am really curious about

Question

0

Asked: May 28, 20262026-05-28T19:34:06+00:00 2026-05-28T19:34:06+00:00

this is about Windows kernel driver and memory management. I am really curious about

0

this is about Windows kernel driver and memory management.

I am really curious about if there is a function (or even any inconvinent approach) to get (or iterate) all memory allocations for a specific pool-tag ?? These are allocated using ExAllocatePoolWithTag(type, size, tag) …

There are kernel functions using a specific Pool-Tag, now i need to find all allocations made using that Tag?

I am relatively sure that this is not possible (for security reasons), but still need the confirmation about that.

Cheers,
Will

Update:
(about the WinDbg comment below)

kd> !poolfind ObFl

Scanning large pool allocation table for Tag: ObFl (fffffa8002290000 : fffffa8002350000)

Searching NonPaged pool (fffffa8001772000 : ffffffe000000000) for Tag: ObFl

… So this means we have to find a generic way to find the “pool allocation table” or the bounds of the non-paged pool (if required). Sounds promising.

Update2:
There are some ntoskrnl exports: nt!PoolBigPageTable nt!PoolBigPageTableSize nt!PoolBigPageTableHash that i need to check….

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T19:34:07+00:00

Editorial Team

2026-05-28T19:34:07+00:00Added an answer on May 28, 2026 at 7:34 pm

There’s no documented way that I am aware of that allows for this from code, however the Windows Kernel Debugger (WinDBG) will allow you to get at this.

See the docs for the !pool, !poolused, !poolfind commands.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

this is about Windows kernel driver and memory management. I am really curious about

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply